US20070203990A1 - Techniques for establishing subscriber sessions on an access network using DHCP - Google Patents
Techniques for establishing subscriber sessions on an access network using DHCP Download PDFInfo
- Publication number
- US20070203990A1 US20070203990A1 US11/362,703 US36270306A US2007203990A1 US 20070203990 A1 US20070203990 A1 US 20070203990A1 US 36270306 A US36270306 A US 36270306A US 2007203990 A1 US2007203990 A1 US 2007203990A1
- Authority
- US
- United States
- Prior art keywords
- echo
- dhcp
- network node
- node
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
Definitions
- the present invention relates to migrating point to point protocol (PPP) functions for customer access of a wide area network to the Internet Protocol (IP).
- PPP point to point protocol
- IP Internet Protocol
- Networks of general purpose computer systems and special devices connected by external communication links are well known.
- the networks often include one or more network devices that facilitate the passage of information between the computer systems.
- a network node is a network device or computer system or special device connected by the communication links.
- a protocol consists of a set of rules defining how the nodes interact with each other based on information sent over the communication links.
- the protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information.
- the conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model.
- the OSI Reference Model is generally described in more detail in Section 1.1 of the reference book entitled Interconnections Second Edition , by Radia Perlman, published September 1999, which is hereby incorporated by reference as though fully set forth herein.
- Each packet typically comprises 1] header information associated with a particular protocol, and 2] payload information that follows the header information and contains information that may be processed independently of that particular protocol.
- the packet includes 3] trailer information following the payload and indicating the end of the payload information.
- the header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol.
- the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, higher layer of the OSI Reference Model.
- the header for a particular protocol typically indicates a type for the next protocol contained in its payload. The next protocol is said to be encapsulated in the particular protocol.
- the headers included in a packet traversing multiple heterogeneous networks typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header and a transport (layer 4) header, as defined by the Open Systems Interconnection (OSI) Reference Model.
- OSI Open Systems Interconnection
- Ethernet local area network (LAN) protocol includes both layer 1 and layer 2 information.
- IEEE 82.3 protocol an implementation of the Ethernet protocol, includes layer 1 information and some layer 2 information.
- One such layer 2 protocol is the Point to Point Protocol (PPP) between a host computer on a local area network and a network node that provides access to a wide area network, such as the Internet.
- PPP Point to Point Protocol
- These control packets and the processes at network nodes that utilize the control packets are said to be in another dimension, a “control plane,” distinct from the “data plane” dimension that includes the data packets with payloads for other applications.
- authentication information used to authenticate users and layer 3 address assignment information used by routers to direct data packets according to their layer 3 addresses are passed between nodes in PPP control messages in the PPP control plane.
- PPP provides a standard method for transporting any of multiple protocol data packets (also called frames, datagrams and cells, and used interchangeably herein) over point-to-point links.
- PPP is defined in an Internet Engineering Task Force (IETF) request for comments document (RFC) numbered 1661, dated July 1994, the entire contents of which are hereby incorporated by reference as if fully set forth herein. Copies of RFC 1661 and other RFCs cited below are available at the World Wide Web domain ietf.org.
- PPP has been used extensively to connect users at a home site to a remote network using modems and telephone copper loop infrastructure.
- PPP provides a robust control plane for signaling line characteristics, network protocol parameters, and user-level authentication. In large service provider networks, the user authentication models are generally well entrenched, including, but not limited to, custom-built applications for communicating policy to network equipment and to track billing information.
- PPPoE PPP over Ethernet
- PPPoE is intended to be used with broadband remote access technologies that provide a bridged Ethernet topology, when access providers wish to distinguish different users connected via the same modem to the remote network.
- PPP provides this distinction by opening different sessions with different users.
- PPPoE is described in IETF RFC 2516, the entire contents of which are hereby incorporated by reference as if fully set forth herein.
- One approach is to eliminate PPP and PPPoE; and provide the PPP functions using IP-based functions. For example, it has been proposed to use International Electrical and Electronics Engineers standard 802.1x or web portal methods for authentication, and to use the Dynamic Host Configuration Protocol (DHCP) for assigning IP addresses.
- DHCP Dynamic Host Configuration Protocol
- a justification offered for this approach is that, when all encapsulated data packets are IP, the multi-protocol encapsulation capability of PPP is not valuable.
- PPP PPP-based authentication
- web portal based authentication has drawbacks in that it requires a specific application (web browser) to be activated before anything can happen.
- the existing IP-based functions do not perform all the functions performed by PPP.
- Some of these protocols would have to be extended to perform the missing functions.
- DHCP would have to be extended to perform user authentication and integration with an authorization server, and include a connection “keep-alive” mechanism, among other tasks, in order to encompass all of the functionality that PPP offers today.
- a mechanism is presented that is directed to authenticating the DHCP messages themselves to ensure that they did not get altered in transmit, rather than authenticating the user.
- PPP provides a “keep-alive” mechanism for detecting when a session is active and available so that reallocation of an IP address or billing can take place on session termination.
- DHCP does not have any mechanism today apart from a lease timeout.
- DHCP is used with very short lease times, e.g., as short as 5 seconds.
- a problem with this approach is that devices for users who engage in sessions that last longer than the lease time have to negotiate new leases with the DHCP server, increasing the consumption of network resources both in terms of traffic volume and computational time at a node that hosts a DHCP server.
- An Address Resolution Protocol has been developed and deployed to determine what nodes have what IP addresses.
- An ARP request is broadcast on a link, and every node on the link responds with its IP address.
- ARP is used to determine whether an IP address known to be on a given link is still active.
- a problem with this approach is that any recipient of the broadcast may respond.
- a mls-configured or rogue recipient may respond with the IP address of a disconnected node and thereby mask the actual loss of connection state.
- PPP-based functions are generally well entrenched with provider-specific extensions.
- some provider-specific extensions provide authorization to determine whether an authentic user is in good standing for receiving one or more services, e.g., for paid-up basic services, for voice services, or for a particular quality of service, or some combination.
- Many of these extensions involve a Broadband Remote Access Server (BRAS) hooking into an Authentication, Authorization, Accounting (AAA) server like the Remote Authentication Dial-In-ervice (RADIUS) server.
- BRAS Broadband Remote Access Server
- AAA Authentication, Authorization, Accounting
- RFC 3118 nor DHCP are directed to determining whether an authentic user is actually authorized to access any particular services on the network, nor involve hooking into an AAA server.
- a wholesale replacement of general PPP functions with IP will not address any provider-specific extensions. Some transition period is needed to give the provider time to adapt the provider-specific extensions to the IP mechanisms.
- FIG. 1 is a block diagram that illustrates a remote access network, according to an embodiment
- FIG. 2 is a block diagram that illustrates a packet of data communicated over a network
- FIG. 3 is a block diagram that illustrates a DHCP packet of data communicated over a network
- FIG. 4 is a block diagram that illustrates an end user host according an embodiment
- FIG. 5 is a block diagram that illustrates a BRAS host, according an embodiment
- FIG. 6 is a flow diagram that illustrates a method at a DHCP session process, according to an embodiment
- FIG. 7 is a block diagram that illustrates a computer system configured as an intermediate network node upon which an embodiment of the invention may be implemented.
- DHCP Network Admission Control
- DHCP is based on a client-server model of network communications, well known and widely used in the art.
- client-server model a client process sends a message including a request to a server process, and the server process responds by providing a service.
- the server process may also return a message with a response to the client process.
- client process and server process execute on different computer devices, called hosts, and communicate via a network using one or more protocols for network communications.
- server is conventionally used to refer to the process that provides the service, or the host computer on which the process operates.
- client is conventionally used to refer to the process that makes the request, or the host computer on which the process operates.
- client and “server” refer to the processes, rather than the host computers, unless otherwise clear from the context.
- process performed by a server can be broken up to run as multiple servers on multiple hosts (sometimes called tiers) for reasons that include reliability, scalability, redundancy, or other advantages, or some combination.
- a DHCP client operating on a device communicates with one or more DHCP servers to obtain configuration information, including an IP address for the client's host device.
- the configuration data is valid for a limited time interval, called a lease time.
- the DHCP client may send a renew request message to extend the lease for some period of time, usually another or longer lease time.
- FIG. 1 is a block diagram that illustrates a remote access network 100 , according to an embodiment.
- a computer network is a geographically distributed collection of interconnected sub-networks (e.g., sub-networks 110 a , 110 b , 110 c , 110 d collectively referenced hereinafter as sub-networks 110 ) for transporting data between nodes, such as computers, video content sources and television set boxes.
- sub-networks 110 e.g., sub-networks 110 a , 110 b , 110 c , 110 d collectively referenced hereinafter as sub-networks 110 ) for transporting data between nodes, such as computers, video content sources and television set boxes.
- a local area network (LAN) 110 a is an example of such a sub-network.
- the network's topology is defined by an arrangement of end nodes (e.g., end nodes 120 a , 120 b , 120 c , 120 d , 120 e , 120 f collectively referenced hereinafter as end nodes 120 ) that communicate with one another, typically through one or more intermediate network nodes, such as a router or switch, that facilitate routing data between end nodes 120 on different sub-networks.
- end nodes 120 is a node that is configured to originate or terminate communications over the network.
- End nodes 120 include an Authentication, Authorization, Accounting (AAA) server host 120 e , and a DHCP server host 120 f.
- AAA Authentication, Authorization, Accounting
- an intermediate network node facilitates the passage of data between end nodes.
- Intermediate network nodes depicted in FIG. 1 include customer premises equipment (CPE) 150 a , 150 b , access modules 152 a , 152 b , and Broadband Remote Access Server (BRAS) node 154 .
- CPE customer premises equipment
- BRAS Broadband Remote Access Server
- a LAN 110 a is connected to CPE 150 a which serves as a bridge to a network 110 b called the last mile network.
- the last mile network 110 b is built on a telephone wire infrastructure, such as dial-up or digital subscriber line (DSL), or cable television infrastructure, either coaxial cable or optical fiber, or a wireless infrastructure, such as WiFi (IEEE standard 802.11).
- LAN 110 a uses Ethernet infrastructure.
- the remote site 102 includes an Ethernet LAN 110 a and two end nodes 120 a , 120 b , in other embodiments more or fewer end nodes 120 are connected to more or fewer or different LANs 110 , such as one or more LANs using Asynchronous Transfer Mode (ATM) infrastructure.
- ATM Asynchronous Transfer Mode
- CPE is a telephone modem using acoustic signals over a low-bandwidth legacy telephone system.
- CPE 150 a is a digital subscriber line (DSL) modem for establishing a high bandwidth DSL connection over the telephone wire as last mile network 110 b .
- DSL digital subscriber line
- CPE 150 a is a combined router and end node, such as a cable television set-top box.
- access module 152 a is a DSL Access Module (DSLAM). In other embodiments, access module 152 a is a controller for a bank of low-bandwidth modems or a cable or optical access module.
- DSL Access Module DSL Access Module
- An internet service provider typically maintains several access modules 152 a , 152 b and an access network 110 c for connection to the IP network 110 d (also called a “core” network) through a Broadband Remote Access Server (BRAS) host 154 .
- the access network 110 c is migrating to an Ethernet infrastructure that supports the Internet Protocol (IP).
- IP Internet Protocol
- a customer DHCP session process 141 executes in a DHCP client at end node 120 a
- a provider DHCP session process 142 executes in a BRAS on BRAS host 154
- another DHCP session process 143 , 144 executes at AAA host 120 e or DHCP host 120 f , respectively, or some other node on IP network 110 d or access network 110 c , or some combination.
- the DHCP session processes 141 , 142 , 143 , 144 determine whether a node (e.g., end node 120 a ) operating under a particular DHCP lease is still communicating with one or more nodes on sub-networks 110 .
- FIG. 2 is a block diagram that illustrates a generalized data packet 230 communicated over a network, such as network 100 .
- Each packet typically comprises one or more payloads of data, e.g. payloads 238 , 248 , each encapsulated by at least one network header, e.g., headers 232 , 242 , respectively.
- payloads are encapsulated by appending a header before the payload, sometimes called prepending a header, and sometimes by appending a trailer (or tail) after the payload.
- Each header 232 , 242 is formatted in accordance with a network communication protocol; header 232 is formatted according to a first protocol and header 242 is formatted according to a second protocol.
- the header 242 for the second protocol is included within the payload 238 of the first protocol.
- a header for a particular protocol and its payload constitute a data packet for that protocol and may also be called a cell, frame, datagram or message for that protocol.
- data packets for different protocols are distinguished in shorthand by using a different one of the above terms for different protocols, e.g., to refer to Ethernet frames and IP datagrams, but here the terms are used interchangeably.
- the header for a protocol typically includes type fields that identify the protocol to which the header belongs and the next protocol in the payload, if any.
- the header 232 for the first protocol includes type fields 236 .
- the header for a protocol often includes a destination address or a source address, or both, for the information in the payload.
- the header 232 for the first protocol includes address fields 234 where the source and receiver address for the first protocol is located within the packet 230 .
- a transmitted data packet's network headers include at least a physical link (layer 1) header and a data-link (layer 2) header.
- the physical (layer 1) header defines the electrical, mechanical and procedural mechanisms for proper capture of the Ethernet frame, but is not captured by a Media Access Controller.
- the layer 1 header may include a DSL or ATM or Ethernet layer 1 header, or some combination.
- the data-link header provides information for transmitting the packet over a particular physical link (i.e., a communication medium), such as a point-to-point link, Ethernet layer 2 link, wireless link, optical link, etc.
- An intermediate network node typically contains multiple physical links with multiple different nodes.
- the data-link header may specify a pair of “source” and “destination” network interfaces that are connected by the physical link.
- a network interface contains the mechanical, electrical and signaling circuitry and logic used to couple a network node to one or more physical links.
- a network interface is often associated with a hardware-specific address, known as a media access control (MAC) address. Accordingly, the source and destination network interfaces in the data-link header are typically represented as source and destination MAC addresses.
- the data-link header may also store flow control, frame synchronization and error checking information used to manage data transmissions over the physical link.
- the internetwork header is a layer 3 header that provides information defining the source and destination address within the interconnected sub-networks (internetwork). Notably, the path may span multiple physical links.
- the internetwork header may be formatted according to the Internet Protocol (IP), which specifies IP addresses of both a source and destination node at the end points of the logical path.
- IP Internet Protocol
- the packet may “hop” from node to node along its logical path until it reaches the end node assigned to the destination IP address stored in the packet's internetwork header.
- the source and destination MAC addresses in the packet's data-link header may be updated, as necessary.
- the source and destination IP addresses typically remain unchanged as the packet is transferred from link to link in the network.
- DHCP is a control plane protocol that uses messages carried by the User Datagram Protocol (UDP) to transmit IP addresses and other configuration information used to set up IP as the layer 3 protocol, i.e., the internetwork protocol.
- UDP User Datagram Protocol
- UDP is a simple, small and fast layer 4 protocol without sophisticated error-tracking and sequencing mechanisms, which utilizes IP broadcasts as a layer 3 protocol to carry UDP messages with DHCP payloads.
- IP broadcasts do not rely on individual IP addresses for recipients, but direct data packets to all nodes on a particular network segment. An IP broadcast is indicated by a special broadcast value in the IP destination address field of an IP header.
- a host without an IP address such as the DHCP client's host at startup, can send an IP data packet by inserting a null address (e.g., 0.0.0.0) in the IP source address field of an IP header, and can receive IP broadcast data packets.
- DHCP agents are processes on intermediate network nodes that forward DHCP broadcasts received on one segment to a different network segment, as desired.
- FIG. 3 is a block diagram that illustrates a data packet 310 for a DHCP message communicated over a network.
- a DHCP message is carried inside a UDP payload 304 that follows the UDP header 302 .
- the DHCP message includes a DHCP header 310 and a DHCP payload 320 .
- the DHCP header 310 includes an op type field 312 and an xid field 316 .
- the DHCP header 310 also includes other fields that are not relevant to understanding embodiments of the invention.
- Data held in the DHCP op type field 312 indicates whether the message is sent by a DHCP client to a DHCP server, or is sent by a DHCP server to a DHCP client, as is well known in the art.
- Data held in the DHCP xid field 312 is usually used by a DHCP client to match incoming DHCP messages with pending DHCP requests for configuration data.
- the DHCP payload 320 includes one or more required or optional fields, or both, depending on the message type indicated in a message type field.
- a DHCP option field 322 is illustrated.
- the DHCP option field 322 includes an option type field 323 and option length field 324 and one or more data fields 326 , depending on the option type expressed in the option type field 323 .
- Data held in the option type field 323 indicates the type of option.
- Data held in the DHCP option length field 324 indicates the length of the DHCP option.
- Data held in the DHCP option data fields 326 indicates the values of one or more attributes associated with the option type indicated in the option type field 323 .
- One option carried in the DHCP payload contains an attribute that indicates the type of the DHCP message, such as a DHCPDISCOVER message or a DHCPOFFER message. Different values in the attribute field correspond to different message types. All of the message types are defined in RFC 2131, RFC 2132 and subsequent RFCs, well known in the art.
- a DHCP payload may carry multiple data options fields like field 322 .
- FIG. 4 is a block diagram that illustrates a user end node host 420 , according an embodiment.
- User end node host 420 includes a modified DHCP client 422 and a customer DHCP session process 424 , such as process 141 on end node 120 a .
- the modified DHCP client 422 has an Application Program Interface (API) through which external processes can exchange information with the modified DHCP client 422 .
- API Application Program Interface
- the customer DHCP session process 424 is incorporated within the modified DHCP client 422 .
- the modified DHCP client 422 is modified from the standard DHCP client in order to engage the customer DHCP session process 424 to accomplish session keep-alive and termination using DHCP messages, as described in more detail below with reference to FIG. 6 .
- Such a modified DHCP client allows PPP session functionality to be omitted.
- FIG. 5 is a block diagram that illustrates a BRAS host 550 , according to an embodiment.
- the BRAS host 550 includes a modified BRAS 552 , a modified DHCP server 560 and a provider DHCP session process 562 , such as process 142 on BRAS host 154 .
- the modified DHCP server 560 is modified from a standard DHCP server in order to engage provider DHCP session process 562 .
- provider DHCP session process 562 is external to modified BRAS 552 and interacts with modified BRAS 552 through an API.
- the modified DHCP server 560 is omitted.
- a DHCP relay agent is included in the modified BRAS 552 .
- the modified BRAS 552 is modified in order to directly or indirectly engage the provider DHCP session process 562 to accomplish session keep-alive and termination using DHCP messages, as described in more detail below with reference to FIG. 6 .
- the modified BRAS 552 engages the provider DHCP session process 562 indirectly though a modified DHCP server 560 that itself is modified to engage the provider DHCP session process 562
- the provider DHCP session process 562 is engaged, directly or indirectly by a DHCP server on a different host from the BRAS host, such as on DHCP host 120 f , as indicated by process 144 . In some embodiments, the provider DHCP session process 562 is engaged, directly or indirectly by a different server on a different host from the BRAS host, such as on AAA host 120 e , as indicated by process 143 .
- DHCP standards are adapted to allow DHCP messages to support session keep-alive and termination, such as provided by PPP. Any authentication required for a user to begin communication over the network has occurred before the method described here. In some embodiments, the authentication is performed using PPP. In some embodiments, the authentication is performed using another protocol. In some embodiments, the authentication is performed using DHCP as described in Townsley. In some embodiments, no authentication is performed.
- two new DHCP message types are defined:
- the DHCPAUTH messages follow the format for DHCP messages defined in RFC 2131. These new messages are identified by the presence of a DHCP Message Type option 322 , which encodes DHCP message types. For example, one value in DHCP Message Type option field 322 is associated with a DHCP-ECHOREQUEST message type; and a second value in DHCP Message Type option field 322 is associated with a DHCP-ECHOREPLY message type.
- the DHCP standard should be updated to allow this association.
- Other fields in the DHCP message header such as siaddr andfname, are left unused.
- one or more other fields in the DHCP header (such as the xid field 316 ) or payload are used to indicate these types of messages in addition to or instead of the fields used in the illustrated embodiment.
- the data in a DHCP-ECHOREQUEST and DHCP-ECHOREPLY message is carried within an option field, for example, as option field 322 .
- the option type field 323 indicates whether the message is a request or a reply.
- the option length field 324 holds data that indicates the length of the data fields 326 as a number of octets (an octet is eight binary digits called bits).
- the option type field 323 is eight bits
- the option length field 324 is eight bits
- the data fields 326 are the next number of octets indicated by the value in the option length field 324 .
- the data in the option length field 324 indicates a length of one (1) octet.
- the data fields 326 are zero or more octets carrying the data specific for the option type.
- the one octet of data fields 326 holds data that indicates whether the message is sent from a DHCP client or a DHCP server. This information is used to prevent loop-back situations, e.g., situations in which the request received was actually issued by the same DHCP process.
- a single bit of the octet in data fields 326 called a “C-bit,” is used. For example, a value of “1” in the C-bit indicates the message is sent from a modified DHCP client. A value of “0” in the C-bit indicates the message is sent from a modified DHCP server.
- any DHCP-ECHOREQUEST message that is received is answered with a DHCP-ECHOREPLY message.
- a first process such as a modified BRAS, can determine whether a second process engaged in IP unicast communications over the IP network (such as end node 120 a ) is still active by sending a DHCP-ECHOREQUEST and receiving a corresponding DHCP-ECHOREPLY within an appropriate time. If the corresponding reply is not received within an appropriate time, then actions appropriate for loss of communication can be taken, such as terminating billing or attempting to re-establish connection. The corresponding reply can be distinguished based on a value in the xid field, as is done currently for correlating DHCP OFFER response message with a DHCP DISCOVER request message.
- FIG. 6 is a flow diagram that illustrates a method 600 at a DHCP session process, such as process 424 in user end node 420 and process 562 in BRAS host 550 , according to an embodiment.
- steps are shown in FIG. 6 in a particular order for purposes of illustration, in other embodiments the steps may be performed in a different order or overlapping in time or one or more steps may be omitted or the steps may be changed in some combination of ways.
- the steps depicted in FIG. 6 are included in both customer DHCP session process 424 and provider DHCP session process 562 , but the implementations of the steps differ between the two processes.
- a DHCP lease is established for configuration data for customer premises equipment. For example, after authentication, a lease is offered to modified DHCP client 422 on host 120 a for an IP address and other configuration data and accepted by the client 422 . On modified BRAS host 550 , the acceptance from client 422 is received by modified DHCP server.
- step 620 it is determined whether conditions are satisfied for testing a connection state between the modified DHCP client 422 and the modified BRAS 552 . For example, in some embodiments, at the client 422 on end node 120 a it is determined that a request sent over IP network 110 d to a server on end node 120 c has not resulted in a response from end node 120 c after one or more retransmits. In some embodiments it is determined at client 422 that no data packets have been received from BRAS 552 on host 154 for a particular time associated with a keep-alive test interval.
- step 624 the DHCP session process on the local node sends a DHCP echo request, such as a DHCP-ECHOREQUEST message.
- a DHCP-ECHOREQUEST with a “0” in the C-bit is unicast to the customer node.
- a DHCP-ECHOREQUEST with a “1” in the C-bit is unicast to the provider node.
- a unique value is placed in the xid field 316 of the DHCP header so that an echo reply to this request can be distinguished from other echo reply messages that may be received.
- a reply timer is started to determine the time spent waiting for a valid echo reply.
- control passes from step 624 to step 630 to continue IP unicast communications until the request goes unanswered with a predetermined reply time interval.
- the DHCP session process goes into a wait mode and does not continue IP unicast communications until the request is answered with a valid DHCP echo reply within the reply time, as described below in steps 670 and 674 .
- control passes from step 624 to step 670 .
- step 640 it is determined whether a DHCP lease for communications between the customer node and nodes on the IP network expires. If so, control passes to step 642 .
- step 642 it is determined whether the DHCP client on the customer node requests a lease renewal in time. If so, control passes back to step 610 to establish a lease for such communications. For example, as a lease time interval is about to expire, a DHCP client process on customer node (e.g., end node 120 a ) sends a DHCP renewal message to a DHCP server (e.g., modified DHCP server 560 on BRAS host 550 .
- a DHCP server e.g., modified DHCP server 560 on BRAS host 550 .
- step 642 If in step 642 it is determined that the DHCP client on the customer node does not request a lease renewal in time, then control passes to step 690 .
- step 690 the lease expires and unicast IP communications between the customer node and nodes on the IP network cease.
- step 640 If in step 640 it is determined that a DHCP lease for communications between the customer node and nodes on the IP network does not expire, then control passes to step 650 . In some embodiments, step 640 is omitted and control passes directly to step 650 .
- step 650 it is determined whether a DHCP echo request is received among the unicast IP data packets. If so, control passes to step 652 .
- step 652 it is determined whether the echo request is valid. In some embodiments in which step 640 is omitted, step 652 includes determining whether there is DHCP lease in effect for communications between the customer node and nodes on the IP network. In some embodiments, step 652 includes determining whether the request is not a loop-back request. For example, it is determined during step 652 that the DHCP process (e.g., a DHCP client or DHCP serer) that sent the request, as indicated in the illustrated embodiment by the C-bit in data fields 326 of a DHCP-ECHOREQUEST message, is different from the DHCP process receiving the request. If the echo request is not valid, it is ignored; and control passes back to step 620 . If the echo request is valid, control passes to step 660 to reply. In some embodiments, step 652 is omitted and control passes directly to step 660 .
- the DHCP process e.g., a DHCP client or DHCP serer
- a DHCP echo reply message is returned, i.e., the DHCP session process on the local node sends a DHCP echo reply, such as a DHCP-ECHOREPLY message.
- a DHCP-ECHOREPLY with a “0” in the C-bit is unicast to the customer node.
- a DHCP-ECHOREPLY with a “1” in the C-bit is unicast to the provider node.
- the unique value from the xid field 316 of the DHCP-ECHOREQUEST message is placed in the xid field 316 of the DHCP header of the DHCP-ECHOREPLY message so that this reply can be associated with the request. Control then passes back to step 620 .
- step 670 it is determined whether a message received is a valid DHCP echo reply. In some embodiments, any DHCP echo reply is considered a valid DHCP echo reply. In an illustrated embodiment, only a DHCP echo reply in response to a DHCP echo request sent by the local node can be a valid reply. If the local node sent no DHCP echo request, e.g., did not execute step 624 , then no DHCP echo reply is a valid reply.
- the echo reply must correspond to the request to be valid.
- the correspondence is determined if the values in the xid field of the reply matches a value in an xid field of any request sent during step 624 .
- a list of outstanding echo request messages sent by the local node and associated xid values are maintained at the local node Therefore a reply to a request sent by another node, e.g., with an xid value not on the list maintained at the local node, is determined during step 670 of such embodiments to be an invalid echo reply.
- step 674 it is determined whether the time for a valid reply has expired. For example, it is determined whether the reply timer set during step 624 has exceeded a predetermined maximum reply time interval.
- step 674 If it is determined in step 674 that the time for a valid reply has not expired, then the unicast communication can be processed normally, and control passes to step 688 to do so. Any processing of IP data packets known in the art may be performed at the local node during step 688 . Control then passes back to step 620 to see if new conditions for testing the connection have been satisfied and, if not, continue IP unicasts in step 630 .
- the local node responds to the loss of connection. Any response may be performed. For example, in some embodiments in which the local node executes a DHCP server, the resources allocated to the customer node are reclaimed earlier than allowed by the DHCP lease. In some embodiments the local node attempts to authenticate the customer node. In some embodiments, a billing agent process is notified that the customer session has ended and to cease charges based on connect-time. In some embodiments in which the local node executes a DHCP client, the client attempts to commence access, such as by sending a new DHCP DISCOVER message, or again logging onto the network in any conventional way.
- the DHCP client again responds to a DHCP challenge issued by a challenging process at the BRAS or DHCP server or AAA server.
- the customer node releases the local resources allocated to the communication session.
- step 670 If it is determined in step 670 that a message received is a valid echo reply, then control passes to step 672 to keep the session going. In effect, receipt of the valid echo reply has the effect of receiving a session keep-alive message. Any method may be used in step 672 to keep the session alive.
- a keep-alive timer for tracking time since a last keep-alive message is reset; and the timer started in step 624 to mark time elapsed since an echo request was sent is stopped.
- DHCP messages are utilized to determine when to keep-alive an IP session and when to terminate the session. This replaces similar functionality currently provided by PPP. Therefore, in some embodiments, PPP session maintenance functions are not utilized. In some of these embodiments, PPP authentication functions are also not utilized but instead replaced by the DHCP authentication functions of Townsley.
- the method 600 does not suffer the disadvantage of a short DHCP lease time used in a prior approach.
- the short DHCP lease times of a few seconds require the BRAS and DHCP client on the customer node to generate and process large DHCP messages every few seconds for every active IP session.
- the method 600 does not suffer the disadvantage of using ARP to detect a loss of connection. Because the method involves direct unicast communication between the DHCP client and the modified BRAS, a mis-configured or rogue node is not likely to be able to respond to the DHCP echo request.
- DHCP packets including DHCP-ECHOREQUEST and DHCP-ECHOREPLY messages may be freely routed by IP routers across multiple hops.
- This method can also be combined with a modification to a DHCP relay agent on access network 110 c that restricts the relay agent from forwarding DHCP-ECHOREQUEST messages from external DHCP servers, which ensures that any DHCP-ECHOREQUEST messages received by the DHCP client were originated in the BRAS.
- a DHCP echo-request message is considered valid only if received at a reasonable rate less than some rate limit.
- the customer DHCP session process is put in an echo-disabled state.
- the customer DHCP session process determines during step 652 that any DHCP echo request message sent to it is not valid.
- the customer DHCP session process is put in an echo-enabled state after a time based on the rate limit. In such an echo-enabled state, the customer DHCP session process determines during step 652 that a DHCP echo request message sent to it is valid if it satisfies other criteria for validity described above.
- a hash function is used with a shared secret and a hash value included in the echo request to determine whether the request is valid in step 652 . In some embodiments a hash function is used with a shared secret and a hash value included in the echo reply to determine whether the reply is valid in step 670 .
- FIG. 7 is a block diagram that illustrates a computer system 700 upon which an embodiment of the invention may be implemented.
- the preferred embodiment is implemented using one or more computer programs running on a network node such as a router device.
- the computer system 700 is a network node.
- Computer system 700 includes a communication mechanism such as a bus 710 for passing information between other internal and external components of the computer system 700 .
- Information is represented as physical signals of a measurable phenomenon, typically electric voltages, but including, in other embodiments, such phenomena as magnetic, electromagnetic, pressure, chemical, molecular atomic and quantum interactions. For example, north and south magnetic fields, or a zero and non-zero electric voltage, represent two states (0, 1) of a binary digit (bit). A sequence of binary digits constitutes digital data that is used to represent a number or code for a character.
- a bus 710 includes many parallel conductors of information so that information is transferred quickly among devices coupled to the bus 710 .
- One or more processors 702 for processing information are coupled with the bus 710 .
- a processor 702 performs a set of operations on information.
- the set of operations include bringing information in from the bus 710 and placing information on the bus 710 .
- the set of operations also typically include comparing two or more units of information, shifting positions of units of information, and combining two or more units of information, such as by addition or multiplication.
- a sequence of operations to be executed by the processor 702 constitute computer instructions.
- Computer system 700 also includes a memory 704 coupled to bus 710 .
- the memory 704 such as a random access memory (RAM) or other dynamic storage device, stores information including computer instructions. Dynamic memory allows information stored therein to be changed by the computer system 700 . RAM allows a unit of information stored at a location called a memory address to be stored and retrieved independently of information at neighboring addresses.
- the memory 704 is also used by the processor 702 to store temporary values during execution of computer instructions.
- the computer system 700 also includes a read only memory (ROM) 706 or other static storage device coupled to the bus 710 for storing static information, including instructions, that is not changed by the computer system 700 .
- ROM read only memory
- Also coupled to bus 710 is a non-volatile (persistent) storage device 708 , such as a magnetic disk or optical disk, for storing information, including instructions, that persists even when the computer system 700 is turned off or otherwise loses power.
- computer-readable medium is used herein to refer to any medium that participates in providing information to processor 702 , including instructions for execution.
- Non-volatile media include, for example, optical or magnetic disks, such as storage device 708 .
- Volatile media include, for example, dynamic memory 704 .
- Transmission media include, for example, coaxial cables, copper wire, fiber optic cables, and waves that travel through space without wires or cables, such as acoustic waves and electromagnetic waves, including radio, optical and infrared waves. Signals that are transmitted over transmission media are herein called carrier waves.
- Computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, a magnetic tape or any other magnetic medium, a compact disk ROM (CD-ROM), a digital video disk (DVD) or any other optical medium, punch cards, paper tape, or any other physical medium with patterns of holes, a RAM, a programmable ROM (PROM), an erasable PROM (EPROM), a FLASH-EPROM, or any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read.
- a floppy disk a flexible disk, a hard disk, a magnetic tape or any other magnetic medium
- CD-ROM compact disk ROM
- DVD digital video disk
- punch cards paper tape
- EPROM erasable PROM
- FLASH-EPROM FLASH-EPROM
- Information is provided to the bus 710 for use by the processor from an external terminal 712 , such as a terminal with a keyboard containing alphanumeric keys operated by a human user, or a sensor.
- a sensor detects conditions in its vicinity and transforms those detections into signals compatible with the signals used to represent information in computer system 700 .
- terminal 712 coupled to bus 710 , used primarily for interacting with humans, include a display device, such as a cathode ray tube (CRT) or a liquid crystal display (LCD) or a plasma screen, for presenting images, and a pointing device, such as a mouse or a trackball or cursor direction keys, for controlling a position of a small cursor image presented on the display and issuing commands associated with graphical elements presented on the display of terminal 712 .
- a display device such as a cathode ray tube (CRT) or a liquid crystal display (LCD) or a plasma screen
- a pointing device such as a mouse or a trackball or cursor direction keys
- terminal 712 is omitted.
- Computer system 700 also includes one or more instances of a communications interface 770 coupled to bus 710 .
- Communication interface 770 provides a two-way communication coupling to a variety of external devices that operate with their own processors, such as printers, scanners, external disks, and terminal 712 .
- Firmware or software running in the computer system 700 provides a terminal interface or character-based command interface so that external commands can be given to the computer system.
- communication interface 770 may be a parallel port or a serial port such as an RS-232 or RS-422 interface, or a universal serial bus (USB) port on a personal computer.
- USB universal serial bus
- communications interface 770 is an integrated services digital network (ISDN) card or a digital subscriber line (DSL) card or a telephone modem that provides an information communication connection to a corresponding type of telephone line.
- ISDN integrated services digital network
- DSL digital subscriber line
- a communication interface 770 is a cable modem that converts signals on bus 710 into signals for a communication connection over a coaxial cable or into optical signals for a communication connection over a fiber optic cable.
- communications interface 770 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN, such as Ethernet.
- LAN local area network
- Wireless links may also be implemented. For wireless links, the communications interface 770 sends and receives electrical, acoustic or electromagnetic signals, including infrared and optical signals, which carry information streams, such as digital data. Such signals are examples of carrier waves
- special purpose hardware such as an application specific integrated circuit (IC) 720
- IC application specific integrated circuit
- the special purpose hardware is configured to perform operations not performed by processor 702 quickly enough for special purposes.
- application specific ICs include graphics accelerator cards for generating images for display, cryptographic boards for encrypting and decrypting messages sent over a network, speech recognition, and interfaces to special external devices, such as robotic arms and medical scanning equipment that repeatedly perform some complex sequence of operations that are more efficiently implemented in hardware.
- the computer system 700 includes switching system 730 as special purpose hardware for switching information for flow over a network.
- Switching system 730 typically includes multiple communications interfaces, such as communications interface 770 , for coupling to multiple other devices.
- each coupling is with a network link 732 that is connected to another device in or attached to a network, such as local network 780 in the illustrated embodiment, to which a variety of external devices with their own processors are connected.
- a network link 732 is connected to another device in or attached to a network, such as local network 780 in the illustrated embodiment, to which a variety of external devices with their own processors are connected.
- an input interface or an output interface or both are linked to each of one or more external network elements.
- three network links 732 a , 732 b , 732 c are included in network links 732 in the illustrated embodiment, in other embodiments, more or fewer links are connected to switching system 730 .
- the switching system 730 includes logic and circuitry configured to perform switching functions associated with passing information among elements of network 780 , including passing information received along one network link, e.g. 732 a , as output on the same or different network link, e.g., 732 c .
- the switching system 730 switches information traffic arriving on an input interface to an output interface according to pre-determined protocols and conventions that are well known.
- switching system 730 includes its own processor and memory to perform some of the switching functions in software.
- switching system 730 relies on processor 702 , memory 704 , ROM 706 , storage 708 , or some combination, to perform one or more switching functions in software.
- switching system 730 in cooperation with processor 704 implementing a particular protocol, can determine a destination of a packet of data arriving on input interface on link 732 a and send it to the correct destination using output interface on link 732 c .
- the destinations may include host 782 , server 792 , other terminal devices connected to local network 780 or Internet 790 , or other routing and switching devices in local network 780 or Internet 790 .
- the invention is related to the use of computer system 700 for implementing the techniques described herein. According to one embodiment of the invention, those techniques are performed by computer system 700 in response to processor 702 executing one or more sequences of one or more instructions contained in memory 704 . Such instructions, also called software and program code, may be read into memory 704 from another computer-readable medium such as storage device 708 . Execution of the sequences of instructions contained in memory 704 causes processor 702 to perform the method steps described herein.
- hardware such as application specific integrated circuit 720 and circuits in switching system 730 , may be used in place of or in combination with software to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
- the signals transmitted over network link 732 and other networks through communications interfaces such as interface 770 , which carry information to and from computer system 700 , are exemplary forms of carrier waves.
- Computer system 700 can send and receive information, including program code, through the networks 780 , 790 among others, through network links 732 and communications interfaces such as interface 770 .
- a server 792 transmits program code for a particular application, requested by a message sent from computer 700 , through Internet 790 , ISP equipment 784 , local network 780 and network link 732 b through communications interface in switching system 730 .
- the received code may be executed by processor 702 or switching system 730 as it is received, or may be stored in storage device 708 or other non-volatile storage for later execution, or both.
- computer system 700 may obtain application program code in the form of a carrier wave.
- instructions and data may initially be carried on a magnetic disk of a remote computer such as host 782 .
- the remote computer loads the instructions and data into its dynamic memory and sends the instructions and data over a telephone line using a modem.
- a modem local to the computer system 700 receives the instructions and data on a telephone line and uses an infra-red transmitter to convert the instructions and data to an infra-red signal, a carrier wave serving as the network link 732 b .
- An infrared detector serving as communications interface in switching system 730 receives the instructions and data carried in the infrared signal and places information representing the instructions and data onto bus 710 .
- Bus 710 carries the information to memory 704 from which processor 702 retrieves and executes the instructions using some of the data sent with the instructions.
- the instructions and data received in memory 704 may optionally be stored on storage device 708 , either before or after execution by the processor 702 or switching system 730 .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
- This application is related to U.S. patent application Ser. No. ______ (Attorney Docket Np. CIS001-039 (Seq. 13197)), filed MMMM XX, 2006 (referenced hereinafter as Townsley) the entire contents of which are hereby incorporated by reference as if fully set forth herein.
- 1. Field of the Invention
- The present invention relates to migrating point to point protocol (PPP) functions for customer access of a wide area network to the Internet Protocol (IP).
- 2. Description of the Related Art
- Networks of general purpose computer systems and special devices connected by external communication links are well known. The networks often include one or more network devices that facilitate the passage of information between the computer systems. A network node is a network device or computer system or special device connected by the communication links.
- Information is exchanged between network nodes according to one or more of many well known, new or still developing protocols. In this context, a protocol consists of a set of rules defining how the nodes interact with each other based on information sent over the communication links. The protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information. The conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model. The OSI Reference Model is generally described in more detail in Section 1.1 of the reference book entitled Interconnections Second Edition, by Radia Perlman, published September 1999, which is hereby incorporated by reference as though fully set forth herein.
- Communications between nodes are typically effected by exchanging discrete packets of data. Each packet typically comprises 1] header information associated with a particular protocol, and 2] payload information that follows the header information and contains information that may be processed independently of that particular protocol. In some protocols, the packet includes 3] trailer information following the payload and indicating the end of the payload information. The header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol. Often, the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, higher layer of the OSI Reference Model. The header for a particular protocol typically indicates a type for the next protocol contained in its payload. The next protocol is said to be encapsulated in the particular protocol. The headers included in a packet traversing multiple heterogeneous networks, such as the Internet, typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header and a transport (layer 4) header, as defined by the Open Systems Interconnection (OSI) Reference Model.
- Some protocols span the layers of the OSI Reference Model. For example, the Ethernet local area network (LAN) protocol includes both layer 1 and layer 2 information. The International Electrical and Electronics Engineers (IEEE) 802.3 protocol, an implementation of the Ethernet protocol, includes layer 1 information and some layer 2 information.
- One such layer 2 protocol is the Point to Point Protocol (PPP) between a host computer on a local area network and a network node that provides access to a wide area network, such as the Internet. Some protocols, including PPP, pass protocol-related information among two or more network nodes in special control packets that are communicated separately and which include a payload of information used by the protocol itself rather than a payload of data to be communicated for another application. These control packets and the processes at network nodes that utilize the control packets are said to be in another dimension, a “control plane,” distinct from the “data plane” dimension that includes the data packets with payloads for other applications. For example, authentication information used to authenticate users and layer 3 address assignment information used by routers to direct data packets according to their layer 3 addresses are passed between nodes in PPP control messages in the PPP control plane.
- PPP provides a standard method for transporting any of multiple protocol data packets (also called frames, datagrams and cells, and used interchangeably herein) over point-to-point links. PPP is defined in an Internet Engineering Task Force (IETF) request for comments document (RFC) numbered 1661, dated July 1994, the entire contents of which are hereby incorporated by reference as if fully set forth herein. Copies of RFC 1661 and other RFCs cited below are available at the World Wide Web domain ietf.org. PPP has been used extensively to connect users at a home site to a remote network using modems and telephone copper loop infrastructure. PPP provides a robust control plane for signaling line characteristics, network protocol parameters, and user-level authentication. In large service provider networks, the user authentication models are generally well entrenched, including, but not limited to, custom-built applications for communicating policy to network equipment and to track billing information.
- For applications in which multiple hosts on a shared Ethernet establish PPP sessions to multiple destinations via one or more bridging modems, a PPP over Ethernet (PPPOE) specification has been developed. PPPoE is intended to be used with broadband remote access technologies that provide a bridged Ethernet topology, when access providers wish to distinguish different users connected via the same modem to the remote network. PPP provides this distinction by opening different sessions with different users. PPPoE is described in IETF RFC 2516, the entire contents of which are hereby incorporated by reference as if fully set forth herein. After establishing a PPP session, IP data packets are sent encapsulated in PPPoE.
- There is a trend among network service providers to move to Ethernet and IP as the only layer two and layer three protocols between end nodes at a user site and end nodes on the remote network to which access is sought. One reason given for this trend is a desire to make use of IP-based quality of service (QoS) capabilities available in access network equipment. Another reason given is to reduce complexity because data packets can be transmitted from one portion of the network infrastructure to another without translating between layer 2 protocols. Another reason given is that using IP over Ethernet will improve the bandwidth utilization per transmitted frame due to a lower protocol overhead.
- One approach is to eliminate PPP and PPPoE; and provide the PPP functions using IP-based functions. For example, it has been proposed to use International Electrical and Electronics Engineers standard 802.1x or web portal methods for authentication, and to use the Dynamic Host Configuration Protocol (DHCP) for assigning IP addresses. A justification offered for this approach is that, when all encapsulated data packets are IP, the multi-protocol encapsulation capability of PPP is not valuable.
- There are some disadvantages to eliminating PPP. For example, web portal based authentication has drawbacks in that it requires a specific application (web browser) to be activated before anything can happen. The existing IP-based functions do not perform all the functions performed by PPP. Some of these protocols would have to be extended to perform the missing functions. For example, DHCP would have to be extended to perform user authentication and integration with an authorization server, and include a connection “keep-alive” mechanism, among other tasks, in order to encompass all of the functionality that PPP offers today.
- In one approach, described in RFC 3118 on DHCP authentication, a mechanism is presented that is directed to authenticating the DHCP messages themselves to ensure that they did not get altered in transmit, rather than authenticating the user.
- PPP provides a “keep-alive” mechanism for detecting when a session is active and available so that reallocation of an IP address or billing can take place on session termination. DHCP does not have any mechanism today apart from a lease timeout. In one approach, DHCP is used with very short lease times, e.g., as short as 5 seconds. A problem with this approach is that devices for users who engage in sessions that last longer than the lease time have to negotiate new leases with the DHCP server, increasing the consumption of network resources both in terms of traffic volume and computational time at a node that hosts a DHCP server.
- An Address Resolution Protocol (ARP) has been developed and deployed to determine what nodes have what IP addresses. An ARP request is broadcast on a link, and every node on the link responds with its IP address. In one approach ARP is used to determine whether an IP address known to be on a given link is still active. A problem with this approach is that any recipient of the broadcast may respond. A mls-configured or rogue recipient may respond with the IP address of a disconnected node and thereby mask the actual loss of connection state.
- Also, as pointed out above, especially in large service provider networks, PPP-based functions are generally well entrenched with provider-specific extensions. For example, some provider-specific extensions provide authorization to determine whether an authentic user is in good standing for receiving one or more services, e.g., for paid-up basic services, for voice services, or for a particular quality of service, or some combination. Many of these extensions involve a Broadband Remote Access Server (BRAS) hooking into an Authentication, Authorization, Accounting (AAA) server like the Remote Authentication Dial-In-ervice (RADIUS) server. Neither RFC 3118 nor DHCP are directed to determining whether an authentic user is actually authorized to access any particular services on the network, nor involve hooking into an AAA server. A wholesale replacement of general PPP functions with IP will not address any provider-specific extensions. Some transition period is needed to give the provider time to adapt the provider-specific extensions to the IP mechanisms.
- Based on the foregoing, there is a clear need for techniques that migrate one or more PPP functions to IP over Ethernet infrastructure but that do not suffer all the disadvantages of the prior art approaches. In particular there is a need to provide session keep-alive and session termination detection functions in DHCP to replace these functions in PPP.
- The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not to be considered prior art to the claims in this application merely due to the presence of these approaches in this background section.
- The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
-
FIG. 1 is a block diagram that illustrates a remote access network, according to an embodiment; -
FIG. 2 is a block diagram that illustrates a packet of data communicated over a network; -
FIG. 3 is a block diagram that illustrates a DHCP packet of data communicated over a network; -
FIG. 4 is a block diagram that illustrates an end user host according an embodiment; -
FIG. 5 is a block diagram that illustrates a BRAS host, according an embodiment; -
FIG. 6 is a flow diagram that illustrates a method at a DHCP session process, according to an embodiment; and -
FIG. 7 is a block diagram that illustrates a computer system configured as an intermediate network node upon which an embodiment of the invention may be implemented. - A method and apparatus and system are described for migrating at least one of PPP session keep-alive functionality and PPP session termination functionality to DHCP. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.
- In various embodiments described herein, techniques are provided that perform at least some PPP control plane functionality while utilizing DHCP, itself a purely control plane protocol. In the following description, embodiments are described primarily in the context of migrating the PPP session functionality to DHCP between a customer premises end node and a Broadband Remote Access Server (BRAS) across an access network. However, the invention is not limited to these embodiments. In other embodiments, the functionality is provided by DHCP formatted messages sent between any node and any other node across an IP network. In some embodiments, DHCP messages are used in Network Admission Control (NAC) for sessions with any host connected to an enterprise network.
- DHCP is based on a client-server model of network communications, well known and widely used in the art. According to the client-server model, a client process sends a message including a request to a server process, and the server process responds by providing a service. The server process may also return a message with a response to the client process. Often the client process and server process execute on different computer devices, called hosts, and communicate via a network using one or more protocols for network communications. The term “server” is conventionally used to refer to the process that provides the service, or the host computer on which the process operates. Similarly, the term “client” is conventionally used to refer to the process that makes the request, or the host computer on which the process operates. As used herein, the terms “client” and “server” refer to the processes, rather than the host computers, unless otherwise clear from the context. In addition, the process performed by a server can be broken up to run as multiple servers on multiple hosts (sometimes called tiers) for reasons that include reliability, scalability, redundancy, or other advantages, or some combination.
- According to the DHCP client server model, a DHCP client operating on a device communicates with one or more DHCP servers to obtain configuration information, including an IP address for the client's host device. The configuration data is valid for a limited time interval, called a lease time. Before the lease expires at the end of the lease time interval, the DHCP client may send a renew request message to extend the lease for some period of time, usually another or longer lease time.
- 1.0 Network Overview
-
FIG. 1 is a block diagram that illustrates aremote access network 100, according to an embodiment. A computer network is a geographically distributed collection of interconnected sub-networks (e.g.,sub-networks end nodes server host 120 e, and aDHCP server host 120 f. - In contrast, an intermediate network node facilitates the passage of data between end nodes. Intermediate network nodes depicted in
FIG. 1 include customer premises equipment (CPE) 150 a, 150 b,access modules node 154. - Four sub-networks 110 that are typically involved in remote access are depicted in
FIG. 1 . Each sub-network 110 may includes zero or more intermediate network nodes. AnIP network 110 d is the target for remote access by users at aremote site 102. - To access
IP network 110 d, aLAN 110 a is connected toCPE 150 a which serves as a bridge to anetwork 110 b called the last mile network. Thelast mile network 110 b is built on a telephone wire infrastructure, such as dial-up or digital subscriber line (DSL), or cable television infrastructure, either coaxial cable or optical fiber, or a wireless infrastructure, such as WiFi (IEEE standard 802.11). In an illustrated embodiment,LAN 110 a uses Ethernet infrastructure. Although theremote site 102 includes anEthernet LAN 110 a and twoend nodes CPE 150 a is a digital subscriber line (DSL) modem for establishing a high bandwidth DSL connection over the telephone wire aslast mile network 110 b. In some embodiments,CPE 150 a is a combined router and end node, such as a cable television set-top box. - Communications over last-
mile network 110 b fromCPE access module 152 a. Although twoCPEs mile network 110 b, in other embodiments more or fewer CPEs are connected to last-mile network 110 b. In an illustrated embodiment,access module 152 a is a DSL Access Module (DSLAM). In other embodiments,access module 152 a is a controller for a bank of low-bandwidth modems or a cable or optical access module. - An internet service provider (ISP) typically maintains
several access modules access network 110 c for connection to theIP network 110 d (also called a “core” network) through a Broadband Remote Access Server (BRAS)host 154. In many current embodiments, theaccess network 110 c is migrating to an Ethernet infrastructure that supports the Internet Protocol (IP). - According to an illustrated embodiment of the invention, a customer
DHCP session process 141 executes in a DHCP client atend node 120 a, and a providerDHCP session process 142 executes in a BRAS onBRAS host 154. In various embodiments, anotherDHCP session process AAA host 120 e orDHCP host 120 f, respectively, or some other node onIP network 110 d oraccess network 110 c, or some combination. The DHCP session processes 141, 142, 143, 144 determine whether a node (e.g.,end node 120 a) operating under a particular DHCP lease is still communicating with one or more nodes on sub-networks 110. - 2.0 Structural Elements
-
FIG. 2 is a block diagram that illustrates ageneralized data packet 230 communicated over a network, such asnetwork 100. Each packet typically comprises one or more payloads of data,e.g. payloads headers header header 232 is formatted according to a first protocol andheader 242 is formatted according to a second protocol. Theheader 242 for the second protocol is included within thepayload 238 of the first protocol. As used herein, a header for a particular protocol and its payload constitute a data packet for that protocol and may also be called a cell, frame, datagram or message for that protocol. In some publications data packets for different protocols are distinguished in shorthand by using a different one of the above terms for different protocols, e.g., to refer to Ethernet frames and IP datagrams, but here the terms are used interchangeably. - The header for a protocol typically includes type fields that identify the protocol to which the header belongs and the next protocol in the payload, if any. For example, the
header 232 for the first protocol includes type fields 236. The header for a protocol often includes a destination address or a source address, or both, for the information in the payload. For example, theheader 232 for the first protocol includes address fields 234 where the source and receiver address for the first protocol is located within thepacket 230. As described above, a transmitted data packet's network headers include at least a physical link (layer 1) header and a data-link (layer 2) header. - The physical (layer 1) header defines the electrical, mechanical and procedural mechanisms for proper capture of the Ethernet frame, but is not captured by a Media Access Controller. The layer 1 header may include a DSL or ATM or Ethernet layer 1 header, or some combination.
- The data-link header provides information for transmitting the packet over a particular physical link (i.e., a communication medium), such as a point-to-point link, Ethernet layer 2 link, wireless link, optical link, etc. An intermediate network node typically contains multiple physical links with multiple different nodes. To that end, the data-link header may specify a pair of “source” and “destination” network interfaces that are connected by the physical link. A network interface contains the mechanical, electrical and signaling circuitry and logic used to couple a network node to one or more physical links. A network interface is often associated with a hardware-specific address, known as a media access control (MAC) address. Accordingly, the source and destination network interfaces in the data-link header are typically represented as source and destination MAC addresses. The data-link header may also store flow control, frame synchronization and error checking information used to manage data transmissions over the physical link.
- The internetwork header is a layer 3 header that provides information defining the source and destination address within the interconnected sub-networks (internetwork). Notably, the path may span multiple physical links. The internetwork header may be formatted according to the Internet Protocol (IP), which specifies IP addresses of both a source and destination node at the end points of the logical path. Thus, the packet may “hop” from node to node along its logical path until it reaches the end node assigned to the destination IP address stored in the packet's internetwork header. After each hop, the source and destination MAC addresses in the packet's data-link header may be updated, as necessary. However, the source and destination IP addresses typically remain unchanged as the packet is transferred from link to link in the network.
- DHCP is a control plane protocol that uses messages carried by the User Datagram Protocol (UDP) to transmit IP addresses and other configuration information used to set up IP as the layer 3 protocol, i.e., the internetwork protocol. UDP is a simple, small and fast layer 4 protocol without sophisticated error-tracking and sequencing mechanisms, which utilizes IP broadcasts as a layer 3 protocol to carry UDP messages with DHCP payloads. IP broadcasts do not rely on individual IP addresses for recipients, but direct data packets to all nodes on a particular network segment. An IP broadcast is indicated by a special broadcast value in the IP destination address field of an IP header. A host without an IP address, such as the DHCP client's host at startup, can send an IP data packet by inserting a null address (e.g., 0.0.0.0) in the IP source address field of an IP header, and can receive IP broadcast data packets. DHCP agents are processes on intermediate network nodes that forward DHCP broadcasts received on one segment to a different network segment, as desired.
-
FIG. 3 is a block diagram that illustrates adata packet 310 for a DHCP message communicated over a network. A DHCP message is carried inside aUDP payload 304 that follows theUDP header 302. The DHCP message includes aDHCP header 310 and aDHCP payload 320. According to the DHCP standard, described in RFC 2131 and RFC 2132 the entire contents of each of which are herby incorporated by reference as if fully set forth herein, theDHCP header 310 includes anop type field 312 and anxid field 316. TheDHCP header 310 also includes other fields that are not relevant to understanding embodiments of the invention. Data held in the DHCPop type field 312 indicates whether the message is sent by a DHCP client to a DHCP server, or is sent by a DHCP server to a DHCP client, as is well known in the art. Data held in theDHCP xid field 312 is usually used by a DHCP client to match incoming DHCP messages with pending DHCP requests for configuration data. - The
DHCP payload 320 includes one or more required or optional fields, or both, depending on the message type indicated in a message type field. ADHCP option field 322 is illustrated. TheDHCP option field 322 includes anoption type field 323 andoption length field 324 and one ormore data fields 326, depending on the option type expressed in theoption type field 323. Data held in theoption type field 323 indicates the type of option. Data held in the DHCPoption length field 324 indicates the length of the DHCP option. Data held in the DHCP option data fields 326 indicates the values of one or more attributes associated with the option type indicated in theoption type field 323. One option carried in the DHCP payload contains an attribute that indicates the type of the DHCP message, such as a DHCPDISCOVER message or a DHCPOFFER message. Different values in the attribute field correspond to different message types. All of the message types are defined in RFC 2131, RFC 2132 and subsequent RFCs, well known in the art. A DHCP payload may carry multiple data options fields likefield 322. -
FIG. 4 is a block diagram that illustrates a user end node host 420, according an embodiment. User end node host 420 includes a modifiedDHCP client 422 and a customer DHCP session process 424, such asprocess 141 onend node 120 a. In the illustrated embodiment, the modifiedDHCP client 422 has an Application Program Interface (API) through which external processes can exchange information with the modifiedDHCP client 422. In some embodiments, the customer DHCP session process 424 is incorporated within the modifiedDHCP client 422. - According to embodiments of the invention, the modified
DHCP client 422 is modified from the standard DHCP client in order to engage the customer DHCP session process 424 to accomplish session keep-alive and termination using DHCP messages, as described in more detail below with reference toFIG. 6 . Such a modified DHCP client allows PPP session functionality to be omitted. -
FIG. 5 is a block diagram that illustrates aBRAS host 550, according to an embodiment. TheBRAS host 550 includes a modifiedBRAS 552, a modifiedDHCP server 560 and a providerDHCP session process 562, such asprocess 142 onBRAS host 154. The modifiedDHCP server 560 is modified from a standard DHCP server in order to engage providerDHCP session process 562. - In other embodiments provider
DHCP session process 562 is external to modifiedBRAS 552 and interacts with modifiedBRAS 552 through an API. In some embodiments, the modifiedDHCP server 560 is omitted. In some embodiments, a DHCP relay agent is included in the modifiedBRAS 552. According to some embodiments of the invention, the modifiedBRAS 552 is modified in order to directly or indirectly engage the providerDHCP session process 562 to accomplish session keep-alive and termination using DHCP messages, as described in more detail below with reference toFIG. 6 . In the illustrated embodiment, the modifiedBRAS 552 engages the providerDHCP session process 562 indirectly though a modifiedDHCP server 560 that itself is modified to engage the providerDHCP session process 562 - In some embodiments, the provider
DHCP session process 562 is engaged, directly or indirectly by a DHCP server on a different host from the BRAS host, such as onDHCP host 120 f, as indicated byprocess 144. In some embodiments, the providerDHCP session process 562 is engaged, directly or indirectly by a different server on a different host from the BRAS host, such as onAAA host 120 e, as indicated byprocess 143. - 3.0 Methods for Ip Sessions Using DHCP
- According to various embodiments of the invention, DHCP standards are adapted to allow DHCP messages to support session keep-alive and termination, such as provided by PPP. Any authentication required for a user to begin communication over the network has occurred before the method described here. In some embodiments, the authentication is performed using PPP. In some embodiments, the authentication is performed using another protocol. In some embodiments, the authentication is performed using DHCP as described in Townsley. In some embodiments, no authentication is performed.
- According to an illustrated embodiment of the invention, two new DHCP message types are defined:
- 1—DHCP-ECHOREQUEST
- 2—DHCP-ECHOREPLY
- to support a new session keep-alive and termination functionality within DHCP.
- The DHCPAUTH messages follow the format for DHCP messages defined in RFC 2131. These new messages are identified by the presence of a DHCP
Message Type option 322, which encodes DHCP message types. For example, one value in DHCP MessageType option field 322 is associated with a DHCP-ECHOREQUEST message type; and a second value in DHCP MessageType option field 322 is associated with a DHCP-ECHOREPLY message type. The DHCP standard should be updated to allow this association. Other fields in the DHCP message header, such as siaddr andfname, are left unused. In various other embodiments, one or more other fields in the DHCP header (such as the xid field 316) or payload are used to indicate these types of messages in addition to or instead of the fields used in the illustrated embodiment. - In the illustrated embodiment, the data in a DHCP-ECHOREQUEST and DHCP-ECHOREPLY message is carried within an option field, for example, as
option field 322. As stated above, theoption type field 323 indicates whether the message is a request or a reply. Theoption length field 324 holds data that indicates the length of the data fields 326 as a number of octets (an octet is eight binary digits called bits). For example, theoption type field 323 is eight bits, theoption length field 324 is eight bits, and the data fields 326 are the next number of octets indicated by the value in theoption length field 324. In the illustrated embodiment the data in theoption length field 324 indicates a length of one (1) octet. - The data fields 326 are zero or more octets carrying the data specific for the option type. In the illustrated embodiment, the one octet of
data fields 326 holds data that indicates whether the message is sent from a DHCP client or a DHCP server. This information is used to prevent loop-back situations, e.g., situations in which the request received was actually issued by the same DHCP process. In an illustrated embodiment a single bit of the octet indata fields 326, called a “C-bit,” is used. For example, a value of “1” in the C-bit indicates the message is sent from a modified DHCP client. A value of “0” in the C-bit indicates the message is sent from a modified DHCP server. - In these embodiments, any DHCP-ECHOREQUEST message that is received is answered with a DHCP-ECHOREPLY message. As a result, a first process, such as a modified BRAS, can determine whether a second process engaged in IP unicast communications over the IP network (such as
end node 120 a) is still active by sending a DHCP-ECHOREQUEST and receiving a corresponding DHCP-ECHOREPLY within an appropriate time. If the corresponding reply is not received within an appropriate time, then actions appropriate for loss of communication can be taken, such as terminating billing or attempting to re-establish connection. The corresponding reply can be distinguished based on a value in the xid field, as is done currently for correlating DHCP OFFER response message with a DHCP DISCOVER request message. - 3.1 DHCP Session Process
-
FIG. 6 is a flow diagram that illustrates amethod 600 at a DHCP session process, such as process 424 in user end node 420 andprocess 562 inBRAS host 550, according to an embodiment. Although steps are shown inFIG. 6 in a particular order for purposes of illustration, in other embodiments the steps may be performed in a different order or overlapping in time or one or more steps may be omitted or the steps may be changed in some combination of ways. In some embodiments, the steps depicted inFIG. 6 are included in both customer DHCP session process 424 and providerDHCP session process 562, but the implementations of the steps differ between the two processes. - In
step 610, a DHCP lease is established for configuration data for customer premises equipment. For example, after authentication, a lease is offered to modifiedDHCP client 422 onhost 120 a for an IP address and other configuration data and accepted by theclient 422. Onmodified BRAS host 550, the acceptance fromclient 422 is received by modified DHCP server. - In
step 620, it is determined whether conditions are satisfied for testing a connection state between the modifiedDHCP client 422 and the modifiedBRAS 552. For example, in some embodiments, at theclient 422 onend node 120 a it is determined that a request sent overIP network 110 d to a server onend node 120 c has not resulted in a response fromend node 120 c after one or more retransmits. In some embodiments it is determined atclient 422 that no data packets have been received fromBRAS 552 onhost 154 for a particular time associated with a keep-alive test interval. In some embodiments it is determined at theBRAS 552 422 onhost 154 that no data packets have been received fromend node 120 a for a particular time associated with a keep-alive test interval. In other embodiments one or more other conditions are used to determine that connection test should be tested. If it is determined instep 620 that conditions are not satisfied for testing the connection state, then control passes to step 630. - In
step 630, unicast IP communications between customer node and nodes on IP network (e.g.,IP network 110 d) continue across access network (e.g., acrossaccess network 110 c). - If it is determined in
step 620 that conditions are satisfied for testing the connection state, then control passes to step 624. Instep 624, the DHCP session process on the local node sends a DHCP echo request, such as a DHCP-ECHOREQUEST message. For example, in a modifiedDHCP server 560, a DHCP-ECHOREQUEST with a “0” in the C-bit is unicast to the customer node. In a modifiedDHCP client 422, a DHCP-ECHOREQUEST with a “1” in the C-bit is unicast to the provider node. In an illustrated embodiment, a unique value is placed in thexid field 316 of the DHCP header so that an echo reply to this request can be distinguished from other echo reply messages that may be received. In some embodiments a reply timer is started to determine the time spent waiting for a valid echo reply. - In the illustrated embodiment, control passes from
step 624 to step 630 to continue IP unicast communications until the request goes unanswered with a predetermined reply time interval. In some embodiments, the DHCP session process goes into a wait mode and does not continue IP unicast communications until the request is answered with a valid DHCP echo reply within the reply time, as described below insteps step 624 to step 670. - In
step 640, it is determined whether a DHCP lease for communications between the customer node and nodes on the IP network expires. If so, control passes to step 642. Instep 642 it is determined whether the DHCP client on the customer node requests a lease renewal in time. If so, control passes back to step 610 to establish a lease for such communications. For example, as a lease time interval is about to expire, a DHCP client process on customer node (e.g.,end node 120 a) sends a DHCP renewal message to a DHCP server (e.g., modifiedDHCP server 560 onBRAS host 550. If instep 642 it is determined that the DHCP client on the customer node does not request a lease renewal in time, then control passes to step 690. Instep 690 the lease expires and unicast IP communications between the customer node and nodes on the IP network cease. - If in
step 640 it is determined that a DHCP lease for communications between the customer node and nodes on the IP network does not expire, then control passes to step 650. In some embodiments,step 640 is omitted and control passes directly to step 650. - In
step 650 it is determined whether a DHCP echo request is received among the unicast IP data packets. If so, control passes to step 652. - In
step 652, it is determined whether the echo request is valid. In some embodiments in which step 640 is omitted,step 652 includes determining whether there is DHCP lease in effect for communications between the customer node and nodes on the IP network. In some embodiments,step 652 includes determining whether the request is not a loop-back request. For example, it is determined duringstep 652 that the DHCP process (e.g., a DHCP client or DHCP serer) that sent the request, as indicated in the illustrated embodiment by the C-bit indata fields 326 of a DHCP-ECHOREQUEST message, is different from the DHCP process receiving the request. If the echo request is not valid, it is ignored; and control passes back to step 620. If the echo request is valid, control passes to step 660 to reply. In some embodiments,step 652 is omitted and control passes directly to step 660. - In step 660 a DHCP echo reply message is returned, i.e., the DHCP session process on the local node sends a DHCP echo reply, such as a DHCP-ECHOREPLY message. For example, in a modified
DHCP server 560, a DHCP-ECHOREPLY with a “0” in the C-bit is unicast to the customer node. In a modifiedDHCP client 422, a DHCP-ECHOREPLY with a “1” in the C-bit is unicast to the provider node. In an illustrated embodiment, the unique value from thexid field 316 of the DHCP-ECHOREQUEST message is placed in thexid field 316 of the DHCP header of the DHCP-ECHOREPLY message so that this reply can be associated with the request. Control then passes back to step 620. - If it is determined in
step 650 that a DHCP echo request is not received among the unicast IP data packets, then control passes to step 670. Instep 670, it is determined whether a message received is a valid DHCP echo reply. In some embodiments, any DHCP echo reply is considered a valid DHCP echo reply. In an illustrated embodiment, only a DHCP echo reply in response to a DHCP echo request sent by the local node can be a valid reply. If the local node sent no DHCP echo request, e.g., did not executestep 624, then no DHCP echo reply is a valid reply. - If the local node did send an echo request in
step 624, then, in some such embodiments, the echo reply must correspond to the request to be valid. In the illustrated embodiments, the correspondence is determined if the values in the xid field of the reply matches a value in an xid field of any request sent duringstep 624. In some embodiments, a list of outstanding echo request messages sent by the local node and associated xid values are maintained at the local node Therefore a reply to a request sent by another node, e.g., with an xid value not on the list maintained at the local node, is determined duringstep 670 of such embodiments to be an invalid echo reply. - To prevent a loop-back reply from being mistaken as a valid echo reply, in some embodiments,
step 670 includes determining whether the reply was sent from a different DHCP process than at the local node. For example, if the local node is the modified BRAS with a modified DHCP server, then a DHCP-ECHOREPLY message with a C-bit of “0”(indicating the reply was sent by a DHCP server) is determined to be an invalid echo reply. Similarly, if the local node is the modified DHCP client, then a DHCP-ECHOREPLY message with a C-bit of “1” (indicating the reply was sent by a DHCP client) is determined to be an invalid echo reply. - If the valid DHCP echo reply message is not received in
step 670, then control passes to step 674. Instep 674, it is determined whether the time for a valid reply has expired. For example, it is determined whether the reply timer set duringstep 624 has exceeded a predetermined maximum reply time interval. - If it is determined in
step 674 that the time for a valid reply has not expired, then the unicast communication can be processed normally, and control passes to step 688 to do so. Any processing of IP data packets known in the art may be performed at the local node duringstep 688. Control then passes back to step 620 to see if new conditions for testing the connection have been satisfied and, if not, continue IP unicasts instep 630. - However, if it is determined in
step 674 that the time for a valid reply has expired, then the local node should respond to a loss of the connection between the customer node and the IP network; and control passes to step 680. - In
step 680, the local node responds to the loss of connection. Any response may be performed. For example, in some embodiments in which the local node executes a DHCP server, the resources allocated to the customer node are reclaimed earlier than allowed by the DHCP lease. In some embodiments the local node attempts to authenticate the customer node. In some embodiments, a billing agent process is notified that the customer session has ended and to cease charges based on connect-time. In some embodiments in which the local node executes a DHCP client, the client attempts to commence access, such as by sending a new DHCP DISCOVER message, or again logging onto the network in any conventional way. In embodiments that implement one or more methods of Townsley, the DHCP client again responds to a DHCP challenge issued by a challenging process at the BRAS or DHCP server or AAA server. In some embodiments, the customer node releases the local resources allocated to the communication session. - If it is determined in
step 670 that a message received is a valid echo reply, then control passes to step 672 to keep the session going. In effect, receipt of the valid echo reply has the effect of receiving a session keep-alive message. Any method may be used instep 672 to keep the session alive. Instep 672 for the illustrated embodiment, a keep-alive timer for tracking time since a last keep-alive message is reset; and the timer started instep 624 to mark time elapsed since an echo request was sent is stopped. - Using the
method 600, DHCP messages are utilized to determine when to keep-alive an IP session and when to terminate the session. This replaces similar functionality currently provided by PPP. Therefore, in some embodiments, PPP session maintenance functions are not utilized. In some of these embodiments, PPP authentication functions are also not utilized but instead replaced by the DHCP authentication functions of Townsley. - The
method 600 does not suffer the disadvantage of a short DHCP lease time used in a prior approach. For example, the short DHCP lease times of a few seconds require the BRAS and DHCP client on the customer node to generate and process large DHCP messages every few seconds for every active IP session. - The
method 600 does not suffer the disadvantage of using ARP to detect a loss of connection. Because the method involves direct unicast communication between the DHCP client and the modified BRAS, a mis-configured or rogue node is not likely to be able to respond to the DHCP echo request. - 3.2 Enhanced Security
- Unlike a basic PPP exchange, DHCP packets including DHCP-ECHOREQUEST and DHCP-ECHOREPLY messages may be freely routed by IP routers across multiple hops.
- In some embodiments, an echo request is only considered valid if it traverses only one network segment (i.e., passes through no intervening intermediate network nodes). This prevents malicious IP users on
IP network 110 d from issuing valid echo requests. In some of these embodiments, the single segment requirement is enforced using the IP Time-to-Live (TTL) field, which is set by the originator of a message and decremented by each intermediate network node. The maximum value for this field is 255. Thus an echo request can be assured to be issued on the same segment if the requesting process inserts a value of 255 in the TTL field and the echo request arrives with the value 255 in that field. In such embodiments,step 652 includes determining whether the TTL field of the received challenge is equal to 255. - This method can also be combined with a modification to a DHCP relay agent on
access network 110 c that restricts the relay agent from forwarding DHCP-ECHOREQUEST messages from external DHCP servers, which ensures that any DHCP-ECHOREQUEST messages received by the DHCP client were originated in the BRAS. - In some embodiments, a DHCP authentication challenge is considered valid only if it is the first received after a lease is granted by a DHCP server, as depicted in the illustrated embodiment. In some such embodiments, after a lease is granted, the customer DHCP session process is put in a echo-enabled state. When in the echo-enabled state, the client determines during
step 652 that a DHCP echo request message sent to it is valid if it satisfies other criteria for validity described above. The customer DHCP session process is put in an echo-disabled state after a DHCP lease expires and before a DHCP lease is obtained. In such an echo-disabled state, the customer DHCP session process determines duringstep 652 that any DHCP echo request message sent to it is not valid. - In some embodiments, a DHCP echo-request message is considered valid only if received at a reasonable rate less than some rate limit. In some such embodiments, after an echo request, the customer DHCP session process is put in an echo-disabled state. When in the echo-disabled state, the customer DHCP session process determines during
step 652 that any DHCP echo request message sent to it is not valid. The customer DHCP session process is put in an echo-enabled state after a time based on the rate limit. In such an echo-enabled state, the customer DHCP session process determines duringstep 652 that a DHCP echo request message sent to it is valid if it satisfies other criteria for validity described above. - In some embodiments a hash function is used with a shared secret and a hash value included in the echo request to determine whether the request is valid in
step 652. In some embodiments a hash function is used with a shared secret and a hash value included in the echo reply to determine whether the reply is valid instep 670. - 4.0 Implementation Mechanisms—Hardware Overview
-
FIG. 7 is a block diagram that illustrates acomputer system 700 upon which an embodiment of the invention may be implemented. The preferred embodiment is implemented using one or more computer programs running on a network node such as a router device. Thus, in this embodiment, thecomputer system 700 is a network node. -
Computer system 700 includes a communication mechanism such as abus 710 for passing information between other internal and external components of thecomputer system 700. Information is represented as physical signals of a measurable phenomenon, typically electric voltages, but including, in other embodiments, such phenomena as magnetic, electromagnetic, pressure, chemical, molecular atomic and quantum interactions. For example, north and south magnetic fields, or a zero and non-zero electric voltage, represent two states (0, 1) of a binary digit (bit). A sequence of binary digits constitutes digital data that is used to represent a number or code for a character. Abus 710 includes many parallel conductors of information so that information is transferred quickly among devices coupled to thebus 710. One ormore processors 702 for processing information are coupled with thebus 710. Aprocessor 702 performs a set of operations on information. The set of operations include bringing information in from thebus 710 and placing information on thebus 710. The set of operations also typically include comparing two or more units of information, shifting positions of units of information, and combining two or more units of information, such as by addition or multiplication. A sequence of operations to be executed by theprocessor 702 constitute computer instructions. -
Computer system 700 also includes amemory 704 coupled tobus 710. Thememory 704, such as a random access memory (RAM) or other dynamic storage device, stores information including computer instructions. Dynamic memory allows information stored therein to be changed by thecomputer system 700. RAM allows a unit of information stored at a location called a memory address to be stored and retrieved independently of information at neighboring addresses. Thememory 704 is also used by theprocessor 702 to store temporary values during execution of computer instructions. Thecomputer system 700 also includes a read only memory (ROM) 706 or other static storage device coupled to thebus 710 for storing static information, including instructions, that is not changed by thecomputer system 700. Also coupled tobus 710 is a non-volatile (persistent)storage device 708, such as a magnetic disk or optical disk, for storing information, including instructions, that persists even when thecomputer system 700 is turned off or otherwise loses power. - The term computer-readable medium is used herein to refer to any medium that participates in providing information to
processor 702, including instructions for execution. - Such a medium may take many forms, including, but not limited to, non-volatile media, volatile media and transmission media. Non-volatile media include, for example, optical or magnetic disks, such as
storage device 708. Volatile media include, for example,dynamic memory 704. Transmission media include, for example, coaxial cables, copper wire, fiber optic cables, and waves that travel through space without wires or cables, such as acoustic waves and electromagnetic waves, including radio, optical and infrared waves. Signals that are transmitted over transmission media are herein called carrier waves. - Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, a magnetic tape or any other magnetic medium, a compact disk ROM (CD-ROM), a digital video disk (DVD) or any other optical medium, punch cards, paper tape, or any other physical medium with patterns of holes, a RAM, a programmable ROM (PROM), an erasable PROM (EPROM), a FLASH-EPROM, or any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read.
- Information, including instructions, is provided to the
bus 710 for use by the processor from anexternal terminal 712, such as a terminal with a keyboard containing alphanumeric keys operated by a human user, or a sensor. A sensor detects conditions in its vicinity and transforms those detections into signals compatible with the signals used to represent information incomputer system 700. Other external components ofterminal 712 coupled tobus 710, used primarily for interacting with humans, include a display device, such as a cathode ray tube (CRT) or a liquid crystal display (LCD) or a plasma screen, for presenting images, and a pointing device, such as a mouse or a trackball or cursor direction keys, for controlling a position of a small cursor image presented on the display and issuing commands associated with graphical elements presented on the display ofterminal 712. In some embodiments, terminal 712 is omitted. -
Computer system 700 also includes one or more instances of acommunications interface 770 coupled tobus 710.Communication interface 770 provides a two-way communication coupling to a variety of external devices that operate with their own processors, such as printers, scanners, external disks, andterminal 712. Firmware or software running in thecomputer system 700 provides a terminal interface or character-based command interface so that external commands can be given to the computer system. For example,communication interface 770 may be a parallel port or a serial port such as an RS-232 or RS-422 interface, or a universal serial bus (USB) port on a personal computer. In some embodiments,communications interface 770 is an integrated services digital network (ISDN) card or a digital subscriber line (DSL) card or a telephone modem that provides an information communication connection to a corresponding type of telephone line. In some embodiments, acommunication interface 770 is a cable modem that converts signals onbus 710 into signals for a communication connection over a coaxial cable or into optical signals for a communication connection over a fiber optic cable. As another example,communications interface 770 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN, such as Ethernet. Wireless links may also be implemented. For wireless links, thecommunications interface 770 sends and receives electrical, acoustic or electromagnetic signals, including infrared and optical signals, which carry information streams, such as digital data. Such signals are examples of carrier waves - In the illustrated embodiment, special purpose hardware, such as an application specific integrated circuit (IC) 720, is coupled to
bus 710. The special purpose hardware is configured to perform operations not performed byprocessor 702 quickly enough for special purposes. Examples of application specific ICs include graphics accelerator cards for generating images for display, cryptographic boards for encrypting and decrypting messages sent over a network, speech recognition, and interfaces to special external devices, such as robotic arms and medical scanning equipment that repeatedly perform some complex sequence of operations that are more efficiently implemented in hardware. - In the illustrated computer used as a router, the
computer system 700 includes switchingsystem 730 as special purpose hardware for switching information for flow over a network.Switching system 730 typically includes multiple communications interfaces, such ascommunications interface 770, for coupling to multiple other devices. In general, each coupling is with anetwork link 732 that is connected to another device in or attached to a network, such aslocal network 780 in the illustrated embodiment, to which a variety of external devices with their own processors are connected. In some embodiments an input interface or an output interface or both are linked to each of one or more external network elements. Although threenetwork links network links 732 in the illustrated embodiment, in other embodiments, more or fewer links are connected to switchingsystem 730.Network links 732 typically provides information communication through one or more networks to other devices that use or process the information. For example, network link 732 b may provide a connection throughlocal network 780 to ahost computer 782 or toequipment 784 operated by an Internet Service Provider (ISP).ISP equipment 784 in turn provides data communication services through the public, world-wide packet-switching communication network of networks now commonly referred to as theInternet 790. A computer called aserver 792 connected to the Internet provides a service in response to information received over the Internet. For example,server 792 provides routing information for use with switchingsystem 730. - The
switching system 730 includes logic and circuitry configured to perform switching functions associated with passing information among elements ofnetwork 780, including passing information received along one network link, e.g. 732 a, as output on the same or different network link, e.g., 732 c. Theswitching system 730 switches information traffic arriving on an input interface to an output interface according to pre-determined protocols and conventions that are well known. In some embodiments, switchingsystem 730 includes its own processor and memory to perform some of the switching functions in software. In some embodiments, switchingsystem 730 relies onprocessor 702,memory 704,ROM 706,storage 708, or some combination, to perform one or more switching functions in software. For example, switchingsystem 730, in cooperation withprocessor 704 implementing a particular protocol, can determine a destination of a packet of data arriving on input interface onlink 732 a and send it to the correct destination using output interface onlink 732 c. The destinations may includehost 782,server 792, other terminal devices connected tolocal network 780 orInternet 790, or other routing and switching devices inlocal network 780 orInternet 790. - The invention is related to the use of
computer system 700 for implementing the techniques described herein. According to one embodiment of the invention, those techniques are performed bycomputer system 700 in response toprocessor 702 executing one or more sequences of one or more instructions contained inmemory 704. Such instructions, also called software and program code, may be read intomemory 704 from another computer-readable medium such asstorage device 708. Execution of the sequences of instructions contained inmemory 704 causesprocessor 702 to perform the method steps described herein. In alternative embodiments, hardware, such as application specificintegrated circuit 720 and circuits in switchingsystem 730, may be used in place of or in combination with software to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware and software. - The signals transmitted over
network link 732 and other networks through communications interfaces such asinterface 770, which carry information to and fromcomputer system 700, are exemplary forms of carrier waves.Computer system 700 can send and receive information, including program code, through thenetworks network links 732 and communications interfaces such asinterface 770. In an example using theInternet 790, aserver 792 transmits program code for a particular application, requested by a message sent fromcomputer 700, throughInternet 790,ISP equipment 784,local network 780 and network link 732 b through communications interface in switchingsystem 730. The received code may be executed byprocessor 702 or switchingsystem 730 as it is received, or may be stored instorage device 708 or other non-volatile storage for later execution, or both. In this manner,computer system 700 may obtain application program code in the form of a carrier wave. - Various forms of computer readable media may be involved in carrying one or more sequence of instructions or data or both to
processor 702 for execution. For example, instructions and data may initially be carried on a magnetic disk of a remote computer such ashost 782. The remote computer loads the instructions and data into its dynamic memory and sends the instructions and data over a telephone line using a modem. A modem local to thecomputer system 700 receives the instructions and data on a telephone line and uses an infra-red transmitter to convert the instructions and data to an infra-red signal, a carrier wave serving as thenetwork link 732 b. An infrared detector serving as communications interface in switchingsystem 730 receives the instructions and data carried in the infrared signal and places information representing the instructions and data ontobus 710.Bus 710 carries the information tomemory 704 from whichprocessor 702 retrieves and executes the instructions using some of the data sent with the instructions. The instructions and data received inmemory 704 may optionally be stored onstorage device 708, either before or after execution by theprocessor 702 or switchingsystem 730. - 5.0 Extensions and Alternatives
- In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
Claims (47)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/362,703 US7568040B2 (en) | 2006-02-24 | 2006-02-25 | Techniques for establishing subscriber sessions on an access network using DHCP |
US11/362,702 US7853708B2 (en) | 2006-02-24 | 2006-02-25 | Techniques for replacing point to point protocol with dynamic host configuration protocol |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/362,296 US7624181B2 (en) | 2006-02-24 | 2006-02-24 | Techniques for authenticating a subscriber for an access network using DHCP |
US11/362,703 US7568040B2 (en) | 2006-02-24 | 2006-02-25 | Techniques for establishing subscriber sessions on an access network using DHCP |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/362,296 Continuation-In-Part US7624181B2 (en) | 2006-02-24 | 2006-02-24 | Techniques for authenticating a subscriber for an access network using DHCP |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/362,296 Continuation-In-Part US7624181B2 (en) | 2006-02-24 | 2006-02-24 | Techniques for authenticating a subscriber for an access network using DHCP |
US11/362,702 Continuation-In-Part US7853708B2 (en) | 2006-02-24 | 2006-02-25 | Techniques for replacing point to point protocol with dynamic host configuration protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
US20070203990A1 true US20070203990A1 (en) | 2007-08-30 |
US7568040B2 US7568040B2 (en) | 2009-07-28 |
Family
ID=38438039
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/362,296 Expired - Fee Related US7624181B2 (en) | 2006-02-24 | 2006-02-24 | Techniques for authenticating a subscriber for an access network using DHCP |
US11/362,703 Expired - Fee Related US7568040B2 (en) | 2006-02-24 | 2006-02-25 | Techniques for establishing subscriber sessions on an access network using DHCP |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/362,296 Expired - Fee Related US7624181B2 (en) | 2006-02-24 | 2006-02-24 | Techniques for authenticating a subscriber for an access network using DHCP |
Country Status (3)
Country | Link |
---|---|
US (2) | US7624181B2 (en) |
EP (2) | EP1987629B1 (en) |
WO (1) | WO2007098314A2 (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090210518A1 (en) * | 2008-02-15 | 2009-08-20 | Redback Networks, Inc. | Methods and apparatuses for dynamically provisioning a dynamic host configuration protocol (dhcp) client as a clientless internet protocol services (clips) subscriber on a last-resort interface |
US20100077071A1 (en) * | 2008-09-19 | 2010-03-25 | International Business Machines Corporation | Method and system for automatic network connection establishment in case of network address renewal |
US20100223661A1 (en) * | 2007-11-16 | 2010-09-02 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for processing access prompt information |
US20120311078A1 (en) * | 2011-05-31 | 2012-12-06 | Amx Llc | Apparatus, method, and computer program for streaming media peripheral address and capability configuration |
US20130304893A1 (en) * | 2010-06-29 | 2013-11-14 | Alcatel-Lucent | Diameter session audits |
US8914523B2 (en) * | 2010-05-17 | 2014-12-16 | Verizon Patent And Licensing Inc. | Dynamic internet protocol registry for mobile internet protocol based communications |
EP3022956A1 (en) * | 2013-07-15 | 2016-05-25 | Qualcomm Incorporated | System and method to assign an internet protocol address to a mobile device during a handoff |
US20160261414A1 (en) * | 2015-03-06 | 2016-09-08 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US20170264563A1 (en) * | 2013-11-29 | 2017-09-14 | Calgary Scientific Inc. | Method for providing a connection of a client to an unmanaged service in a client-server remote access system |
US10158701B2 (en) | 2011-03-21 | 2018-12-18 | Calgary Scientific Inc.. | Method and system for providing a state model of an application program |
US10284688B2 (en) | 2011-09-30 | 2019-05-07 | Calgary Scientific Inc. | Tiered framework for proving remote access to an application accessible at a uniform resource locator (URL) |
US10334042B2 (en) | 2008-11-26 | 2019-06-25 | Calgary Scientific Inc. | Method and system for providing remote access to a state of an application program |
US10410306B1 (en) | 2011-01-04 | 2019-09-10 | Calgary Scientific Inc. | Method and system for providing remote access to data for display on a mobile device |
US10454979B2 (en) | 2011-11-23 | 2019-10-22 | Calgary Scientific Inc. | Methods and systems for collaborative remote application sharing and conferencing |
CN110636146A (en) * | 2018-06-25 | 2019-12-31 | 中国移动通信有限公司研究院 | User address allocation method and device |
US10673809B2 (en) * | 2015-09-29 | 2020-06-02 | Orange | Technique for managing an address in a local area network |
US10693940B2 (en) | 2011-08-15 | 2020-06-23 | Calgary Scientific Inc. | Remote access to an application program |
CN113259429A (en) * | 2021-05-11 | 2021-08-13 | 鸬鹚科技(深圳)有限公司 | Session keeping control method, device, computer equipment and medium |
US11381903B2 (en) | 2014-02-14 | 2022-07-05 | Sonic Blocks Inc. | Modular quick-connect A/V system and methods thereof |
US11483283B1 (en) * | 2021-07-27 | 2022-10-25 | Cisco Technology, Inc. | DHCP resource optimization for randomized and changing MAC address |
Families Citing this family (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7624181B2 (en) * | 2006-02-24 | 2009-11-24 | Cisco Technology, Inc. | Techniques for authenticating a subscriber for an access network using DHCP |
US7853708B2 (en) * | 2006-02-24 | 2010-12-14 | Cisco Technology, Inc. | Techniques for replacing point to point protocol with dynamic host configuration protocol |
FR2902253B1 (en) * | 2006-06-13 | 2009-04-03 | Ingenico Sa | METHOD AND DEVICE FOR AUTHENTICATING A USER |
CN101355474B (en) * | 2007-07-25 | 2010-09-08 | 华为技术有限公司 | Method and equipment for requesting and distributing connection point address |
US8806565B2 (en) | 2007-09-12 | 2014-08-12 | Microsoft Corporation | Secure network location awareness |
US8239549B2 (en) * | 2007-09-12 | 2012-08-07 | Microsoft Corporation | Dynamic host configuration protocol |
US7940773B2 (en) * | 2008-01-18 | 2011-05-10 | Embarq Holdings Company, Llc | System, method and apparatus for automated ATM to ethernet provisioning |
US8917718B2 (en) | 2008-10-13 | 2014-12-23 | Centurylink Intellectual Property Llc | System, method, and apparatus for user-initiated provisioning of a communication device |
US20100107231A1 (en) * | 2008-10-20 | 2010-04-29 | Telefonaktiebolaget L M Ericsson (Publ) | Failure indication |
US8285875B2 (en) * | 2009-01-28 | 2012-10-09 | Juniper Networks, Inc. | Synchronizing resource bindings within computer network |
US8880656B2 (en) * | 2009-05-12 | 2014-11-04 | Cisco Technology, Inc. | Customer edge device auto-configuration |
US7996526B2 (en) | 2009-06-08 | 2011-08-09 | Comcast Cable Communications, Llc | Management of shared access network |
US8375134B2 (en) * | 2009-06-08 | 2013-02-12 | Microsoft Corporation | Determining an efficient keep-alive interval for a network connection |
DE102009039098A1 (en) * | 2009-08-27 | 2011-03-03 | Siemens Aktiengesellschaft | Method for operating communication network, involves accessing communication network which is provided perpendicularly, if predetermined data communication takes place inside communication network |
US8175098B2 (en) * | 2009-08-27 | 2012-05-08 | Verisign, Inc. | Method for optimizing a route cache |
US8699411B1 (en) | 2009-09-30 | 2014-04-15 | Google Inc. | Dynamic TDMA system for TV white space MIMO wireless |
US8559455B1 (en) | 2009-09-30 | 2013-10-15 | Google Inc. | Dynamic scheduling scheme for TV white-space MIMO wireless system |
US8396086B1 (en) | 2009-09-30 | 2013-03-12 | Google Inc. | Scalable association scheme for TV white-space MIMO wireless system |
US8565138B1 (en) | 2009-09-30 | 2013-10-22 | Google Inc. | Random shuffling mechanism for MIMO wireless system |
US8260902B1 (en) * | 2010-01-26 | 2012-09-04 | Juniper Networks, Inc. | Tunneling DHCP options in authentication messages |
US8560658B2 (en) * | 2010-03-23 | 2013-10-15 | Juniper Networks, Inc. | Managing distributed address pools within network devices |
US8640212B2 (en) | 2010-05-27 | 2014-01-28 | Red Hat, Inc. | Securing passwords with CAPTCHA based hash when used over the web |
US8631100B2 (en) | 2010-07-20 | 2014-01-14 | Juniper Networks, Inc. | Automatic assignment of hardware addresses within computer networks |
US8782211B1 (en) | 2010-12-21 | 2014-07-15 | Juniper Networks, Inc. | Dynamically scheduling tasks to manage system load |
US9100305B2 (en) | 2011-07-12 | 2015-08-04 | Cisco Technology, Inc. | Efficient admission control for low power and lossy networks |
US8972537B2 (en) | 2011-08-16 | 2015-03-03 | Comcast Cable Communications, Llc | Prioritizing local and network traffic |
US8892710B2 (en) | 2011-09-09 | 2014-11-18 | Microsoft Corporation | Keep alive management |
US8806250B2 (en) | 2011-09-09 | 2014-08-12 | Microsoft Corporation | Operating system management of network interface devices |
US9049660B2 (en) | 2011-09-09 | 2015-06-02 | Microsoft Technology Licensing, Llc | Wake pattern management |
US9215234B2 (en) * | 2012-01-24 | 2015-12-15 | Hewlett Packard Enterprise Development Lp | Security actions based on client identity databases |
WO2013126918A1 (en) * | 2012-02-24 | 2013-08-29 | Ruckus Wireless, Inc. | Wireless services gateway |
US9894599B2 (en) | 2012-06-13 | 2018-02-13 | Qualcomm, Incorporated | Method and apparatus for WLAN initial link setup |
CN102905292B (en) * | 2012-09-21 | 2015-06-10 | 中兴通讯股份有限公司 | Mobile terminal network port management method and device |
US8850543B2 (en) * | 2012-12-23 | 2014-09-30 | Mcafee, Inc. | Hardware-based device authentication |
US9300627B2 (en) * | 2013-03-14 | 2016-03-29 | Time Warner Cable Enterprises Llc | System and method for automatic routing of dynamic host configuration protocol (DHCP) traffic |
US9525662B2 (en) | 2013-04-22 | 2016-12-20 | Cisco Technology, Inc. | Automatic assignment of internet protocol addresses in a ring network |
US9191209B2 (en) * | 2013-06-25 | 2015-11-17 | Google Inc. | Efficient communication for devices of a home network |
US9444728B2 (en) | 2013-07-30 | 2016-09-13 | Cisco Technology, Inc. | Packet switching device including cascaded aggregation nodes |
US10887314B2 (en) * | 2015-09-29 | 2021-01-05 | Verisign, Inc. | Access control for named domain networking |
US10084705B2 (en) | 2015-10-30 | 2018-09-25 | Microsoft Technology Licensing, Llc | Location identification of prior network message processor |
CN107404544B (en) * | 2016-05-19 | 2020-10-30 | 联想企业解决方案(新加坡)有限公司 | Method and apparatus for IP address assignment |
WO2018160680A1 (en) * | 2017-02-28 | 2018-09-07 | Arris Enterprises Llc | Wide-area network automatic detection |
US10805292B2 (en) * | 2018-02-19 | 2020-10-13 | Fmr Llc | Secure authentication and network access management for mobile computing devices |
EP3769556A1 (en) * | 2018-03-20 | 2021-01-27 | Telefonaktiebolaget LM Ericsson (publ) | Initial network authorization for a communications device |
US10992637B2 (en) | 2018-07-31 | 2021-04-27 | Juniper Networks, Inc. | Detecting hardware address conflicts in computer networks |
US10931628B2 (en) | 2018-12-27 | 2021-02-23 | Juniper Networks, Inc. | Duplicate address detection for global IP address or range of link local IP addresses |
US11165744B2 (en) | 2018-12-27 | 2021-11-02 | Juniper Networks, Inc. | Faster duplicate address detection for ranges of link local addresses |
JP7234726B2 (en) * | 2019-03-20 | 2023-03-08 | 富士フイルムビジネスイノベーション株式会社 | Communication device, communication system, and program |
US10965637B1 (en) | 2019-04-03 | 2021-03-30 | Juniper Networks, Inc. | Duplicate address detection for ranges of global IP addresses |
US11539528B2 (en) * | 2020-03-02 | 2022-12-27 | Bank Of America Corporation | System for authorizing secured access using cryptographic hash value validations |
JPWO2021182025A1 (en) * | 2020-03-13 | 2021-09-16 | ||
US11641374B2 (en) * | 2020-05-26 | 2023-05-02 | Dell Products L.P. | Determine a trusted dynamic host configuration protocol (DHCP) server in a DHCP snooping environment |
US11606333B1 (en) * | 2022-03-04 | 2023-03-14 | Cisco Technology, Inc. | Synchronizing dynamic host configuration protocol snoop information |
US20240129127A1 (en) * | 2022-10-18 | 2024-04-18 | Dell Products, L.P. | Systems and methods for dual hash rolling patch secure authentication |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6286039B1 (en) * | 1997-08-28 | 2001-09-04 | Cisco Technology, Inc. | Automatic static to dynamic IP address and DNS address management for remote communications network access |
US20020006133A1 (en) * | 2000-07-14 | 2002-01-17 | Mitsuaki Kakemizu | Communications service providing system, and mobile terminal device, address server device, and router device for use therewith |
US20020013844A1 (en) * | 2000-03-20 | 2002-01-31 | Garrett John W. | Service selection in a shared access network supporting quality of service |
US20020098840A1 (en) * | 1998-10-09 | 2002-07-25 | Hanson Aaron D. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
US20030101243A1 (en) * | 2001-11-27 | 2003-05-29 | Donahue David B. | System and method for automatic confuguration of a bi-directional IP communication device |
US20050105529A1 (en) * | 2003-10-31 | 2005-05-19 | Peter Arberg | Network element modifying the DHCP lease timer |
US20050286518A1 (en) * | 2004-06-28 | 2005-12-29 | Ezibro Networks Ltd. | Device for enabling intra-edge routing-less premises internet protocol communication and communication method using the same |
US7342906B1 (en) * | 2003-04-04 | 2008-03-11 | Airespace, Inc. | Distributed wireless network security system |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
EP1175765B1 (en) * | 1999-05-03 | 2004-09-08 | Nokia Corporation | SIM BASED AUTHENTICATION MECHANISM FOR DHCRv4/v6 MESSAGES |
US6505766B2 (en) | 2001-03-30 | 2003-01-14 | Illinois Tool Works Inc. | Feed wheel for strapping tool |
US7164904B2 (en) * | 2002-01-28 | 2007-01-16 | Research In Motion Limited | Multiple-processor wireless mobile communication device |
US7082535B1 (en) * | 2002-04-17 | 2006-07-25 | Cisco Technology, Inc. | System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol |
US7461251B2 (en) * | 2002-05-09 | 2008-12-02 | Canon Kabushiki Kaisha | Public key certification issuing apparatus |
US7953088B2 (en) * | 2003-06-10 | 2011-05-31 | Cisco Technology, Inc. | Method and apparatus for packet classification and rewriting |
WO2005104500A1 (en) | 2004-04-23 | 2005-11-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Aaa support for dhcp |
WO2006081507A1 (en) * | 2005-01-28 | 2006-08-03 | Broadcom Corporation | Method and system for mitigating denial of service in a communication network |
US20070180499A1 (en) * | 2006-01-31 | 2007-08-02 | Van Bemmel Jeroen | Authenticating clients to wireless access networks |
US7853708B2 (en) * | 2006-02-24 | 2010-12-14 | Cisco Technology, Inc. | Techniques for replacing point to point protocol with dynamic host configuration protocol |
US7624181B2 (en) * | 2006-02-24 | 2009-11-24 | Cisco Technology, Inc. | Techniques for authenticating a subscriber for an access network using DHCP |
-
2006
- 2006-02-24 US US11/362,296 patent/US7624181B2/en not_active Expired - Fee Related
- 2006-02-25 US US11/362,703 patent/US7568040B2/en not_active Expired - Fee Related
-
2007
- 2007-02-03 WO PCT/US2007/061581 patent/WO2007098314A2/en active Application Filing
- 2007-02-03 EP EP07756636.2A patent/EP1987629B1/en not_active Not-in-force
- 2007-02-03 EP EP17184037.4A patent/EP3267653B1/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6286039B1 (en) * | 1997-08-28 | 2001-09-04 | Cisco Technology, Inc. | Automatic static to dynamic IP address and DNS address management for remote communications network access |
US20020098840A1 (en) * | 1998-10-09 | 2002-07-25 | Hanson Aaron D. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
US20020013844A1 (en) * | 2000-03-20 | 2002-01-31 | Garrett John W. | Service selection in a shared access network supporting quality of service |
US20020006133A1 (en) * | 2000-07-14 | 2002-01-17 | Mitsuaki Kakemizu | Communications service providing system, and mobile terminal device, address server device, and router device for use therewith |
US20030101243A1 (en) * | 2001-11-27 | 2003-05-29 | Donahue David B. | System and method for automatic confuguration of a bi-directional IP communication device |
US7342906B1 (en) * | 2003-04-04 | 2008-03-11 | Airespace, Inc. | Distributed wireless network security system |
US20050105529A1 (en) * | 2003-10-31 | 2005-05-19 | Peter Arberg | Network element modifying the DHCP lease timer |
US20050286518A1 (en) * | 2004-06-28 | 2005-12-29 | Ezibro Networks Ltd. | Device for enabling intra-edge routing-less premises internet protocol communication and communication method using the same |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100223661A1 (en) * | 2007-11-16 | 2010-09-02 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for processing access prompt information |
US8433807B2 (en) * | 2007-11-16 | 2013-04-30 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for processing access prompt information |
US8572217B2 (en) * | 2008-02-15 | 2013-10-29 | Ericsson Ab | Methods and apparatuses for dynamically provisioning a dynamic host configuration protocol (DHCP) client as a clientless internet protocol services (CLIPS) subscriber on a last-resort interface |
US20090210518A1 (en) * | 2008-02-15 | 2009-08-20 | Redback Networks, Inc. | Methods and apparatuses for dynamically provisioning a dynamic host configuration protocol (dhcp) client as a clientless internet protocol services (clips) subscriber on a last-resort interface |
US20100077071A1 (en) * | 2008-09-19 | 2010-03-25 | International Business Machines Corporation | Method and system for automatic network connection establishment in case of network address renewal |
US7882224B2 (en) * | 2008-09-19 | 2011-02-01 | International Business Machines Corporation | Method and system for automatic network connection establishment in case of network address renewal |
US10965745B2 (en) | 2008-11-26 | 2021-03-30 | Calgary Scientific Inc. | Method and system for providing remote access to a state of an application program |
US10334042B2 (en) | 2008-11-26 | 2019-06-25 | Calgary Scientific Inc. | Method and system for providing remote access to a state of an application program |
US8914523B2 (en) * | 2010-05-17 | 2014-12-16 | Verizon Patent And Licensing Inc. | Dynamic internet protocol registry for mobile internet protocol based communications |
US20130304893A1 (en) * | 2010-06-29 | 2013-11-14 | Alcatel-Lucent | Diameter session audits |
US8965962B2 (en) * | 2010-06-29 | 2015-02-24 | Alcatel Lucent | Diameter session audits |
US10410306B1 (en) | 2011-01-04 | 2019-09-10 | Calgary Scientific Inc. | Method and system for providing remote access to data for display on a mobile device |
US10158701B2 (en) | 2011-03-21 | 2018-12-18 | Calgary Scientific Inc.. | Method and system for providing a state model of an application program |
US9635064B2 (en) * | 2011-05-31 | 2017-04-25 | Amx Llc | Apparatus, method, and computer program for streaming media peripheral address and capability configuration |
US20120311078A1 (en) * | 2011-05-31 | 2012-12-06 | Amx Llc | Apparatus, method, and computer program for streaming media peripheral address and capability configuration |
US10693940B2 (en) | 2011-08-15 | 2020-06-23 | Calgary Scientific Inc. | Remote access to an application program |
US10284688B2 (en) | 2011-09-30 | 2019-05-07 | Calgary Scientific Inc. | Tiered framework for proving remote access to an application accessible at a uniform resource locator (URL) |
US10904363B2 (en) | 2011-09-30 | 2021-01-26 | Calgary Scientific Inc. | Tiered framework for proving remote access to an application accessible at a uniform resource locator (URL) |
US10454979B2 (en) | 2011-11-23 | 2019-10-22 | Calgary Scientific Inc. | Methods and systems for collaborative remote application sharing and conferencing |
EP3022956A1 (en) * | 2013-07-15 | 2016-05-25 | Qualcomm Incorporated | System and method to assign an internet protocol address to a mobile device during a handoff |
US9979670B2 (en) * | 2013-11-29 | 2018-05-22 | Calgary Scientific Inc. | Method for providing a connection of a client to an unmanaged service in a client-server remote access system |
US20170264563A1 (en) * | 2013-11-29 | 2017-09-14 | Calgary Scientific Inc. | Method for providing a connection of a client to an unmanaged service in a client-server remote access system |
US11381903B2 (en) | 2014-02-14 | 2022-07-05 | Sonic Blocks Inc. | Modular quick-connect A/V system and methods thereof |
US20180262352A1 (en) * | 2015-03-06 | 2018-09-13 | Comcast Cable Communications, Llc | Secure Authentication of Remote Equipment |
US10680835B2 (en) * | 2015-03-06 | 2020-06-09 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US20200351107A1 (en) * | 2015-03-06 | 2020-11-05 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US9998287B2 (en) * | 2015-03-06 | 2018-06-12 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US20160261414A1 (en) * | 2015-03-06 | 2016-09-08 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US11736304B2 (en) * | 2015-03-06 | 2023-08-22 | Comcast Cable Communications, Llc | Secure authentication of remote equipment |
US10673809B2 (en) * | 2015-09-29 | 2020-06-02 | Orange | Technique for managing an address in a local area network |
CN110636146A (en) * | 2018-06-25 | 2019-12-31 | 中国移动通信有限公司研究院 | User address allocation method and device |
CN113259429A (en) * | 2021-05-11 | 2021-08-13 | 鸬鹚科技(深圳)有限公司 | Session keeping control method, device, computer equipment and medium |
US11483283B1 (en) * | 2021-07-27 | 2022-10-25 | Cisco Technology, Inc. | DHCP resource optimization for randomized and changing MAC address |
Also Published As
Publication number | Publication date |
---|---|
WO2007098314A3 (en) | 2008-11-20 |
US7568040B2 (en) | 2009-07-28 |
EP1987629A4 (en) | 2011-12-28 |
WO2007098314A2 (en) | 2007-08-30 |
EP3267653A1 (en) | 2018-01-10 |
US20070204330A1 (en) | 2007-08-30 |
EP1987629A2 (en) | 2008-11-05 |
US7624181B2 (en) | 2009-11-24 |
EP3267653B1 (en) | 2019-08-07 |
EP1987629B1 (en) | 2017-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7568040B2 (en) | Techniques for establishing subscriber sessions on an access network using DHCP | |
US7853708B2 (en) | Techniques for replacing point to point protocol with dynamic host configuration protocol | |
US8086749B2 (en) | Techniques for migrating a point to point protocol to a protocol for an access network | |
CN100566334C (en) | Dynamic Service is selected and the end user disposes Ethernet Digital Subscriber Line Access Multiplexer and method are provided | |
US7039049B1 (en) | Method and apparatus for PPPoE bridging in a routing CMTS | |
EP2241091B1 (en) | Combining locally addressed devices and wide area network (wan) addressed devices on a single network | |
US7525972B2 (en) | Techniques for encapsulating point to point protocol (PPP) over Ethernet frames | |
CN1938982B (en) | Method and apparatus for preventing network attacks by authenticating internet control message protocol packets | |
US20050207414A1 (en) | Apparatus and method for automatic cluster network device address assignment | |
US6061728A (en) | Arrangement for controlling network proxy device traffic on a transparently-bridged local area network using a master proxy device | |
US20070110048A1 (en) | Techniques for inserting internet protocol services in a broadband access network | |
WO2009138034A1 (en) | Method and apparatus for internet protocol version six (ipv6) addressing and packet filtering in broadband networks | |
JP2007536851A (en) | Session-based packet switching equipment | |
JP2007158869A (en) | Router device and communication system | |
US20080049765A1 (en) | Method and system for inter working a point-to-point link and a LAN service | |
Rayes et al. | The internet in IoT | |
US8204080B2 (en) | Techniques for encapsulating point to point (PPP) over Ethernet frames | |
Hu et al. | RFC 8772 The China Mobile, Huawei, and ZTE Broadband Network Gateway (BNG) Simple Control and User Plane Separation Protocol (S-CUSP) | |
EP1962453A1 (en) | Method for enabling network node redundancy in an access network, messages and nodes | |
EP4312406A1 (en) | Separate pfcp session model for network access by residential gateways | |
WO2023036135A1 (en) | Message transceiving method, information acquisition and transceiving method, and related device | |
JP2008263437A (en) | Network system and aggregator | |
KR100702783B1 (en) | System and method for devices with identical MAC address in a subnet in IP based internet access network | |
CA2411621A1 (en) | Connecting ethernet networks to ppp networks in internet access equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TOWNSLEY, WILLIAM MARK;PRUSS, RICHARD;DROMS, RALPH;REEL/FRAME:017805/0296;SIGNING DATES FROM 20060315 TO 20060317 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20210728 |